Amazon recently released a new service called Amazon Multi-Factor Authentication (MFA) for Amazon Web Services (AWS). Amazon’s MFA enables you to configure your AWS account to leverage two-factor authentication for access to the AWS console. The AWS MFA is based upon the Initiative for Open Authentication (OATH) HMAC-based One Time Password (HOTP) specification.

AWS and OATH HOTP

Amazon Web Services is a cloud computing infrastructure provider that enables you to provision virtualized hardware resources (servers, firewalls, block storage devices, etc.) via a web services API and pay for those resources by the hour. A typical systems administrator of a customer using AWS will login to Amazon’s web interface to launch servers and perform other actions. Because the system is based on a web services API, a number of third-party solutions exist that provide extended functionality.

When you create an AWS account, you leverage your existing Amazon consumer account. Each AWS account is then associated with exactly one Amazon user. In other words, one account = one user ID = one person.

As more enterprises are adopting AWS to support their IT infrastructure, AWS has been seeing demands for multi-factor authentication to address corporate security policies that require multi-factor authentication when performing administrative functions over systems that house sensitive data. Multi-factor authentication is a solid business best practice for such systems. When AWS introduced MFA, they described it as “[MFA] should be especially attractive to our enterprise-level customers, but we expect customers of all types to value the additional security.”

Under MFA, I purchase a device from Gemalto that synchronizes with AWS and generates a one-time password. Any time I attempt to login to my AWS account after configuration, I must provide two factors of authentication:

• My user ID + password (something I know)
• The next token from my device (something I have)

Does AWS Realize the Benefits of MFA?

Paradoxically, AWS MFA is wrong for the customers for whom it was designed and perfect for everyone else. If you are a small business with a single AWS account managed by one system administrator, AWS MFA is for you. It costs just $13 to purchase the device and access to the service is free.

As I noted in the quote earlier, AWS did not design MFA for that audience. Instead, AWS developed the MFA solution for organizations that have multi-factor authentication as a checklist security requirement for administrative access to information security systems housing sensitive data.

MFA suffers from an inherent problem in OTP solutions like OATH HOTP that rely on a key shared between the device and the server: you have to have a new device for every system you manage unless those systems are tied together via some kind of single sign-on solution. Having to remember a dozen passwords is painful; having to carry around a dozen key fobs is unmanageable.

If you have a single AWS account, there’s no need to carry around a dozen devices—one works just fine. An enterprise—the target market for this offering—is likely to have multiple people managing multiple AWS accounts. Both the “multiple people” and the “multiple accounts” aspects of the AWS authentication system make MFA unsuitable to the enterprise market.

I’ve already addressed why multiple accounts are problematic—you have to carry around a new device for each account. Though single sign-on is a solution to the multiple device problem, AWS does not support single sign-on across different AWS accounts. If you have multiple accounts protected by AWS MFA, you need multiple devices.

The multiple people problem is much more significant. It too is related to the one AWS account = one user = one person structure of Amazon Web Services. While one person = one user is proper, the fact that one user = one AWS account makes it impossible for those people who need multi-factor authentication to meet other policy needs. In particular, you cannot implement both of the following security policies with AWS:

• One person = one user
• Redundancy in administrative roles

If you want redundancy in administrative roles, you must share an AWS user and the supporting credentials between at least two individuals. If you want to support one person = one user, you cannot have a backup administrator for your AWS account. For a large enterprise, opting to comply with the one person = one user is just not operationally possible with AWS. By design, however, AWS MFA enforces one person = one user because only one person can have the device tied to the user (and only one person can carry the device at any time).

One final issue with enterprise adoption of AWS MFA: it’s US-only. In other words, businesses with systems administrators outside the US cannot use this service. Furthermore, no timeline exists for availability outside the US.

The Bottom Line

Given the current design of AWS authentication, AWS MFA looks like a checklist item poorly suited to the needs of people with the checklists (enterprises). AWS would have been better off implementing an SMS-based system. Though such a system supports attack vectors that the AWS system lacks, it is ultimately much more practical for enterprise IT operations.