HACKER Q&A
📣 herodoturtle

AWS registering MFA will be required in 29 days


Hi folks,

When signing into our AWS console this morning we noticed this security popup - "Registering MFA will be required in 29 days".

Below the notice is a list of options for registering for MFA, and I quote:

> 1. Passkey or Security key: Authenticate using your fingerprint, face, or screen lock. Create a passkey on this device or use another device, like a FIDO2 security key.

> 2. Authenticator app: Authenticate using a code generated by an app installed on your mobile device or computer.

> 3. Hardware TOTP Token: Authenticate using a code generated by hardware TOTP token or other hardware devices.

Perhaps this is a dumb question, but why can't we just use email for 2FA? (or maybe there is a way and we've just missed it?)

If email 2FA is not an option, which of the above 3 options would you recommend to minimise hassle?

(Option 1 looks simple but sounds like it's limited to individual devices? Option 2 - the idea of installing an app - irks us. With option 3 would we each need a hardware token?)

Any guidance would be appreciated. Thanks.

  👤 YouWhy Accepted Answer ✓
First of all, 2FA is a jolly good idea in terms of preventing account hijackings; relying on email/SMS (texts) introduces multiple hazards that can reverse 2FA's net benefit.

One configuration some people use is the KeePass desktop password manager, which supports storing TOTP seeds and has a nice UX for generating tokens; the password database file may be located as you see fit on a hard drive, DOK, cloud drive etc. Example of TOTP config for KeePass:

https://www.fhtino.it/docs/keepass-totp--intro/

Also, Keepass2Android can be used in similar vein from Android devices. iOS equivalents seem to exist as well.

👤 mooreds
I'd go with number 2 unless you want to buy everyone a hardware token (option number 3).

There are open source solutions (I've used https://2fas.com/ ) and very common solutions (Google Authenticator).

You can even print out the QR code and put it in a secure location (safe, safe deposit box) as a break-glass in case everyone's phones cease functioning.

👤 xet7
At Linux, I manage local 2FA with Numberstation GUI. It can import export.

sudo apt install numberstation

I manage passwords with KeepassXC

sudo apt install keepassxc

There is also newer version with additional features:

https://github.com/keepassxreboot/keepassxc

👤 stephenr
Thanks for posting this. I'm going to link back to this whenever anyone claims that using AWS/etc means you don't need any experienced infrastructure/ops people.

As for the actual question: what browser/password manager in 2024 doesn't support both options 1 and 2?

👤 dotps1
Personally I would do all of them.

I would make a passkey and stick it in Bitwarden so I have it with me on all my devices.

I would link my account to my authenticator app.

Then I would also register my yubikey I keep on my keychain.