I write this as I sit here weeping tears of joy. After many years of customer requests, #awswishlists, and me accosting innocent AWS employees at conferences to demand the feature, it’s finally here: the ability to use a Yubikey as a factor to authenticate to the AWS console instead of an app or device that generates a six digit code for us to type in. Press button, receive login.
You wouldn’t think this would be such a big deal; after all, how often do you log into the AWS console? That was of course a joke; despite how much we all talk about infrastructure as code, there are some things that still require the AWS console. Anyone who tells you they never look at the console for anything likely isn’t doing very much with AWS, or else is living five years in the future. Add in the fact that a lot of physical devices suck at keeping accurate time, and you’re suddenly in a depressing world of trying to break into your own AWS account if you haven’t synced lately.
Here in the real world, I’m changing between accounts fairly frequently (not all of my clients are comfortable with AssumeRole configurations), and while aws-vault helps, I still have to punch in a code to my terminal to authenticate at least daily. It grows tiresome, and way too many MFA tokens have been cluttering up my MFA app.
A few caveats– as of the time of this writing, there’s still only support for a single MFA device per IAM account. As a result, you’re potentially going to have to fall into an unpleasant edge case if you’re like me and use multiple computers (or tablets!) to log into AWS. I spend a depressing amount of time on the road, and generally only take my iPad with me (this post is written on it). iOS doesn’t support USB-C today, so Yubikeys are a non-starter for anything that doesn’t work with Yubikeys for other applications. If you’re using a phone to log into AWS, you have my sympathy.
The workaround I have now is unfortunate; I hate this pattern so much. I’ve created two IAM accounts for myself with the same permissions. One supports the soft-token that lets me log in from my iPad, the other lets me use my Yubikey. This immediately doubles the number of IAM accounts I have to manage, and I’m looking for a better option– but so far, no dice.
One last feature that may raise an eyebrow or two– Yubikeys work for the root account, a place where you very much want another factor for login. Suddenly there’s a much better answer to “how do we securely store the second factor for our company?” Put a Yubikey in the safe, and you’re effectively done. It doesn’t lose power, it doesn’t require time syncing, and they’re incredibly robust.
This is the point in the article where you might expect me to throw some shade at AWS for taking this long to roll the feature out. Normally you’d be right, but I think that’d be profoundly uncharitable of me in this case. “By the way, we’re changing how login security works” is fundamentally incompatible with the many, many, many security regimes with which AWS complies. The fact that this got done at all is a testament to the hard work, drive, and determination of the AWS team that got this done. If you’re on that team or can point me to someone who is, please reach out; this is a fantastic achievement of which you should be rightly proud, and I’d like to thank you personally for your dedication.