So, what i never understood about this flow is that only admins can set up mfa. ... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		nhumrich on Sept 26, 2018 \| parent \| context \| favorite \| on: AWS now supports U2F/Yubikeys So, what i never understood about this flow is that only admins can set up mfa. A non admin (any account without IAM permissions) has no way to set up mfa unless an admin does it for them. Currently, I have to have the person tell me their mfa codes next to me, so I van type them in and set it up. How does this work for U2F? Do I have to use their usb device on my computer to allow them to have MFA? It's such a chicken and egg problem.

akerl_ on Sept 26, 2018 | [–]

You can give IAM users permission to add their own MFA device. I’d recommend requiring MFA to remove the device to prevent an attacker from doing so

bdcravens on Sept 26, 2018 | [–]

Ability to set one's MFA is something you'd set in IAM, as opposed to a truly permissionless account.

https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_us...

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact