Amazon Web Services (AWS) is to widen the scope of a mandatory multi-factor authentication (MFA) programme it introduced earlier this year, after seeing strong uptake among customers and a slump in password-related phishing attacks.
The cloud giant made MFA compulsory for management account root users in the AWS Management Console beginning in May 2024, starting with its largest accounts. In June, it added support for FIDO2 passkeys as an MFA method to give users more options, and expanded the original requirement to include root users in standalone accounts, too.
According to AWS principal product manager of account protection Arynn Crow, over 750,000 root users have enabled MFA since April, with customer registration rates more than doubling since the addition of FIDO2 passkeys to the mix. She claimed the policy change had prevented “greater than 99%” of password-related attacks.
“At AWS, we’ve built our services with secure-by-design principles from day one, including features that set a high bar for our customers’ default security posture” said Crow. “Strong authentication is a foundational component in overall account security, and the use of MFA is one of the simplest and most effective ways to help prevent unauthorised individuals from gaining access to systems or data.”
Based on this early success, AWS will now be expanding MFA requirements to member accounts in AWS organisations from Spring 2025.
“Customers who have not enabled central management of root access will be required to register MFA for their AWS Organizations member account root users in order to access the AWS Management Console,” said Crow.
“As with our previous expansions to management and standalone accounts, we will roll this change out gradually and notify individual customers who are required to take action in advance, to help customers adhere to the new requirements while minimising impact to their day-to-day operations.”
No more passwords anymore
On the back of its early successes with an MFA mandate, Crow said AWS was keen to do more to shore up security for its customers, and had recognised another opportunity to try to eliminate unnecessary passwords for good.
She said that on top of the run-of-the-mill security issues seen with standard passwords, attempting to secure password-based authentication was introducing too much operational overhead for AWS customers, especially those operating at scale or subject to regulatory requirements to rotate their credentials frequently.
As such, AWS has now launched a new capability to centrally manage root access for accounts managed in AWS Organizations, enabling them to cut down on the number of passwords they need to manage while still keeping control over the use of root principals.
Crow explained that customers can now turn on centralised root access with a quick configuration change – either in the identity and access management console or the AWS command line interface – and then remove the long-term credentials of member account root users.
“This will improve the security posture of our customers while simultaneously reducing their operational effort,” she concluded.