
AWS now supports U2F/Yubikeys - captn3m0
https://aws.amazon.com/blogs/security/use-yubikey-security-key-sign-into-aws-management-console/
======
pg_bot
While this is a great step forward for U2F adoption, AWS made the same mistake
several other online services have made by only allowing a single key per
account. The typical U2F user carries at least two keys. (one on their person
and one stored securely for backup) I hope they decide to change this because
it will cause a ton of customer support problems in their future.

~~~
cmurf
When I had 2FA enabled, using Google Authenticator, and had to reset my phone,
I was locked out of AWS. No backup codes. No texting. Nothing. Had to send in
a ticket and get a callback.

~~~
bdcravens
FWIW, Authy does let you store and recover TOTP accounts via password.

~~~
lrvick
And this is also what makes Authy a terrible 2FA tool no one should use ever.

It stores your secrets in plain text on the phone without any secure enclave.
If your backup password is sniffed or there is a flaw in Authy or your mobile
OS sandboxing fails you are toast.

~~~
bluesign
If your mobile os sandboxing fails, you are toast in any scenario. I think
every authenticator app is toast as long as mobile sandbox is comprised.

------
robbiet480
Key note: U2F isn't currently supported in the API, CLI or mobile apps. Docs
are unclear as to what the fallback 2FA is, if there is one. Also, as before,
you can only have one 2FA method configured at a time, so say goodbye to your
hardware tokens or TOTP configurations for AWS if you switch to U2F.

EDIT: "Fallback" is to have root account remove your IAM user 2FA. If root
account 2FA is lost they have a few alternative verification options like
email or phone call. [1]

1:
[https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credenti...](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_lost-
or-broken.html)

~~~
Alex3917
> Also, as before, you can only have one 2FA method configured at a time, so
> say goodbye to your hardware tokens or TOTP configurations for AWS if you
> switch to U2F

AWS makes it super quick and easy to remove lost 2FA devices using the root
account, so it doesn't really matter as much as losing your 2FA for a crypto
exchange or whatever where it's going to take at least a week or two to reset.
Just keep TOTP on the root account, since you shouldn't be logging into that
on a regular basis anyway.

------
cespare
It's frustrating that they only allow a single key. I use 4 different hardware
U2F devices. Google, GitHub, Dropbox, and every other service on which I've
set up U2F have always allowed me to attach all of my security keys. It seems
like AWS is about 3 years behind on this stuff.

------
lvh
This is underwhelming.

\- Requiring the attestation cert and not accepting a self-signed one—which
U2F devices will magically not work? I don’t know, but apparently it’s
strictly Yubikeys now.

\- Still not convinced anyone seriously uses the console except for root
accounts, where AWS forces you to.

\- Only one U2F key? Bad. Only one U2F key and overall only one MFA method at
all, disabling MFA where it matters most? Baffling.

\- The legacy U2F API instead of just using WebAuthn already?

This is one of those things where I keep thinking I should just open source
the SAML thing that safely gets an assertion to your CLI where you can assume-
role with it, but who knows when AWS is going to decide to reimplement your
project.

~~~
holstvoogd
> which U2F devices will magically not work?

Atleast Krypton doesnt' work, neither do Titan keys it seems.

I would consider they did that on purpose in some kind of deal with yubico.
But given the general level of 'buring-pile-of-failure' AWS manages to produce
around the console, it is probably just that they didn't know

~~~
tialaramex
If they require attestation that's one more reason I won't be using this,
sadly. I always block attestation because there's no need for it when you're
supposedly offering an optional second factor, even though I actually do own a
Yubico product.

It makes no security sense to check attestation if your second factor is
optional. How could a non-Yubico second factor make things worse compared to
not using one? It couldn't. If you really, really care then store the
attestations so that when fifty customers claim their U2F was broken into you
can show that they all have Crap Co. FIDO tokens and point the finger at Crap
Co. that's the absolute most that makes any sense with attestation.

Now, if second factor is _mandatory_ then it could make sense to decide OK, we
trust Mattel, Apple and LexCorp but not HP, Tyrell Corp, or Weyland-Yutani.
It's anticipated that banks (in fifty years when they hear about this new-
fangled FIDO technology) would want that, giving customers their own tokens
with their own attestation certs. But for an outfit like AWS this option makes
no sense, so the correct design is to Never Ask, and if some higher-up insists
on asking, just store the answer (including "No, fuck off") with the user's
account and press on anyway.

------
tptacek
Bear in mind that probably as many AWS accounts are popped by losing access
keys as IAM logins (if you're logging in to the _root account_ , stop doing
that).

For the access keys, you should look into things like aws-vault, which wrap
the STS so that your shell is only ever handling temporary session-bound keys.

~~~
jiveturkey
Hadn’t heard of aws-vault, awesome! egg on my face as i consider myself an
expert

------
_Codemonkeyism
Sooner or later I'll move away from Gmail b/c they make it hard to U2F be used
with Firefox. More U2F is the way to go, hopefully everyone supports it in the
not too distant future.

~~~
emlun
Google did suddenly start supporting U2F in Firefox a few months ago!

~~~
_Codemonkeyism
Somehow doesn't work for me :-(

~~~
todd8
U2F is by default disabled in Firefox. You have to turn it on before using
your Yubico (or other FIDO) key for a service being accessed though Firefox.
It’s easy to enable. See [https://www.trishtech.com/2018/07/enable-
fido-u2f-security-k...](https://www.trishtech.com/2018/07/enable-
fido-u2f-security-key-yubikey-in-mozilla-firefox/)

~~~
_Codemonkeyism
Did that some time ago already, doesn't work for me, I can't log in with my
Yubikey, which at the same time works from Chrome.

~~~
todd8
Oh sorry it wasn't something simple. I just enabled it on my laptop yesterday
and it worked (Firefox 62.0.2 running on MacOS 10.14).

At first I thought that I hadn't enabled right. After checking the setting
again, I found the problem--I had plugged the Yubico Key in upside-down.

------
nhumrich
So, what i never understood about this flow is that only admins can set up
mfa. A non admin (any account without IAM permissions) has no way to set up
mfa unless an admin does it for them. Currently, I have to have the person
tell me their mfa codes next to me, so I van type them in and set it up. How
does this work for U2F? Do I have to use their usb device on my computer to
allow them to have MFA? It's such a chicken and egg problem.

~~~
akerl_
You can give IAM users permission to add their own MFA device. I’d recommend
requiring MFA to remove the device to prevent an attacker from doing so

------
barryp
Can you have more than one YubiKey associated with an AWS account? Or also
setup TOTP, or have a set of backup codes in case you lost your hardware
device? Seems kind of dangerous if you can only have one MFA method setup

~~~
robbiet480
No. But you also couldn't have a TOTP + Hardware token previously to U2F
introduction [1]. AWS has also never had backup codes to my knowledge, other
than saving the secret key used to generate TOTP codes. The "backup" has
always been maintaining access to the root account to allow that to reset 2FA
as needed.

1:
[https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credenti...](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_u2f.html)
("You can enable one MFA device (of any kind) per root user or IAM user.")

~~~
chiefalchemist
That can't last (i.e., not more than one). The main reason being you can lose
a key, forget it, have it stolen, break it, etc. Without a second you'll be
living on the edge. They're gonna have to support more than one.

I have a Yubikey for my LastPass. I lived with a single key for over a year. I
finally got two more. I'm not sure why I made myself so nervous / stressed
those 12+ months.

~~~
robbiet480
I can't be sure without reading the docs, and I don't care to at the moment
TBQH, but it may be possible to remove MFA via API keys for the account.

------
michaelanckaert
I don't find the lack multiple U2F keys a big problem. It would be a great
feature but considering proper user management it's not a big fail in my
opinion.

In my case all AWS accounts have a root user that has MFA enabled and that
secret key is stored in a password vault. When a root user login is needed the
key is plugged into an OTP application, tasks are performed and then the key
is removed from the application.

I do however miss MFA when using the AWS CLI. A lot of my clients require MFA
enabled when assuming a role in their account.

------
m-p-3
Now if corporate banks could support this instead of those awful card readers
that use browser plugins that doesn't work in anything else than IE7.

------
mimming
They mention Yubikey a lot by name in the post. Has anyone tried a U2F device
from a different manufacturer?

~~~
rendaw
I tried a Trezor 1. It prompts me to press the button, but then the browser
prompts me to give permission for AWS to see the manufacturer/version of the
device and then gives me the error "Attestation Certificate is not valid."

The link to "see information about supported configurations" is 404:
[https://docs.aws.amazon.com/iam/mfa-u2f-config](https://docs.aws.amazon.com/iam/mfa-u2f-config)

~~~
mimming
Aw, that's a bummer. First Vanguard and now AWS support only Yubikey brand U2F
devices. I wonder why that's happening?

Hopefully this practice remains limited. I really don't want haul a bag of
different security keys around with me to access all of my services.

------
nodesocket
What's the best hardware key to buy for native MacBook Pro USB-C support these
days? Is it the YubiKey 5C [1]?

[1]
[https://www.yubico.com/product/yubikey-5c/#yubikey-5c](https://www.yubico.com/product/yubikey-5c/#yubikey-5c)

~~~
Operyl
Yep!

------
4real
I’m using the Google Authenticator for MFA today, but are soon travelling
abroad for a week. Should I loose my phone on the trip, a (single) Yubikey
would be my rescue, both regarding AWS and other services supporting Yubikey.
Any thoughts?

------
atmosx
A bit off-topic but, how does a yubikey compare to a password manager (e.g.
1Password) + biometric auth?

What are the pros/cons?

~~~
sedatk
U2F literally stands for “Universal 2nd Factor” so it’s not a replacement for
passwords (the first factor). They are not comparable.

Not using a U2F key makes you susceptible to phishing attacks.

~~~
snarf21
Can't you still be vulnerable to a MITM phishing attack?

~~~
rejberg
What do you mean by a MITM phishing attack?

U2F credentials are tied to a particular domain, and so do not rely on the
user making sure they are on the correct website. As such, they are not
susceptible to typical credential phishing attacks.

~~~
snarf21
Things like this: [https://security.stackexchange.com/questions/157756/mitm-
att...](https://security.stackexchange.com/questions/157756/mitm-attacks-on-
fido-uaf-and-u2f)

This is assuming an owned machine. Not the easiest attack but still possible.
Obviously things like Google Authenticator (while good) are even more
susceptible to MITM phishing.

~~~
scrollaway
If the machine is owned it's trivial to dig the cookie jar once you're logged
in.

------
aasasd
Too bad I can't pay for AWS through my bank because my bank doesn't allow
payments without CVC for their insecurity. As do almost all banks in the
country.

------
asprouse
Does the Node.js SDK support U2F?

~~~
robbiet480
The docs say that U2F isn't currently supported via any method other than the
AWS Console. No API, no CLI, no mobile apps.

~~~
closeparen
_Could_ it be? It’s a browser-based protocol.

~~~
kam
Sure. The CLI or SDK could talk to the USB device directly, like the browser
does.

e.g.
[https://developers.yubico.com/libu2f-host/](https://developers.yubico.com/libu2f-host/)

------
bigiain
:sigh: The same week I ditched Chrome in favour Safari...

~~~
mtgx
You can toggle security.webauth.u2f to true in about:config on Firefox.

~~~
Operyl
GP is using Safari, which has no native u2f support. I'm assuming the user
isn't using Firefox for similar reasons to I (and many others) have thrown
around: it's fan spinning almost immediately on Macbooks.

------
Scott_Sanderson
Love my yubikey

