Hacker News new | past | comments | ask | show | jobs | submit login

I recently tried to change my password on my Amazon account (something I do a couple of times per year) and was presented with a multi-factor auth prompt for a long-forgotten and inactive AWS account that I trialled years ago. It turns out the phone number on the AWS account is out of date and the authenticator app was on the same phone that I no longer have, so I can't remove or reset the MFA. All my details on my Amazon account are up to date but these can't be used for resetting the MFA, only the details I entered when I signed up to AWS. I've hit an impasse with support, they'll only accept a notarized identity verification form and affidavit to proceed, which isn't that easy or cheap to do outside of the USA.

At this point I'm snookered - I feel like if my password is ever compromised I'm screwed, but it's not like I can just start a new account because all my digital purchases, my Kindle, my Echo, etc are tied to my old account.

Basically: do yourself a favour and sign up to distinct services with distinct accounts and don't have one global account for everything.

I don't think you should blame Amazon for enforcing the MFA that you set up. Allowing you someone to trivially reset the password on an MFA-enabled account would completely defeat the security purpose of MFA. If you've been reading HN for long, I'm sure you've seen stories of how attackers have used famous peoples' personal information to compromise their accounts at various services by requesting password resets. Respecting MFA and requiring a higher bar for password resets is necessary for defending against these attacks. And of course, if you're using both Amazon.com and AWS under one Amazon account (which it sounds like youare), then it would also defeat the security purpose of MFA if you could reset your account password through Amazon.com after setting up an MFA to protect your AWS usage.

I think your conclusion and advice is good. Separate your accounts for different services.

> I've hit an impasse with support, they'll only accept a notarized identity verification form and affidavit to proceed, which isn't that easy or cheap to do outside of the USA.

This should in fact be very cheap most places in the world. Do they not have notaries public in your country?

Generally you just need to sign a legally binding form asserting under penalty of perjury that you are so-and-so, and this is your account. You do this in front of the notary, and they inspect your government ID to confirm it's really you. Then the notary stamps the document to indicate that they've witnessed you signing it, and have inspected your id. Now you're done.

A number of online businesses require this in certain circumstances, and it's something that you can do in about 10 minutes at a store. In the USA, stores like the UPS Store, Kinko's Copies, etc. often have notary services. If you work for a medium-sized company or larger, your company will typically have a notary in its business center who may be willing to notarize personal documents for free. It should be a pretty simple process to complete, if inconvenient.

The problem is that it isn't really a shared account - the login email and password are the same, but they won't accept any current mobile number/etc entered anywhere but AWS.

I used AWS for a bit and then stopped, and then forgot about it. I've kept my Amazon account up to date, but not my AWS details. For years I continued to use my Amazon account without ever needing to use the MFA, so forgot I ever activated it. This year they've suddenly decided to enforce the MFA globally. I blame myself for not removing the MFA when I closed the account, but you can hopefully see why it's a frustrating user experience also. And like I say, the net result is a less secure Amazon account for everything but AWS until I can remove the MFA requirement.

Re notarizing, my understanding is that I need to use a US notary service for it to be valid for a US document (eg available via the US embassy).

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact