HACKER Q&A
📣 noduerme

Panicking about new AWS MFA reqs


I've run dozens of servers/services/DBs on AWS as the root user for years. I will never, ever set up MFA there or anywhere else. I want only email verification through my private email server. No hardware keys to lose, and no cell phone to go missing or have to reload my credentials on (my phones disappear a lot). Suddenly the AWS root login tells me MFA will be required within 6 days through either a hardware key or an authenticator app.

There seems to be no way to get in touch with Amazon about it, so I'm asking here. Anyone else in the same situation?

BTW, Don't tell me just accept it. If you do, you don't get what I'm talking about. I can't get a phone number of who the f** I'd have to talk to there to permanently exempt my account from this req. I've been moving stuff there for 10 years and I'm managing $100k /yr through them at least. Moving verification to an authenticator app or key is MUCH less secure for my living situation.


  👤 necovek Accepted Answer ✓
> MUCH less secure

I accept that this might be true for your situation today (though I doubt that: apart from someone potentially hacking your mail server, they could also hack into your domain registrar or DNS provider, and MFA would protect you from that, even if you'd have other, bigger problems due to losing your mail), nothing stops you from keeping the security level high (eg. use a long passphrase for your MFA device instead of a simple pin; if it's a phone, encrypt it too...).

I am guessing what you mean is that it would be a lot more inconvenient but not much more secure: it helps to be honest with oneself if you want useful advice.

Otherwise, the only thing you are signing up for is people telling you how you can make it more secure (like I did :)).

So, which is it?


👤 solardev
Can't you just use Bitwarden or 1password or similar? They just store your 2FA in the cloud so it's not tied to any device.

It's a hassle for you, but Amazon isn't going to go out of their way for you. $100k is chump change to them...


👤 necovek
If it's about convenience and not security, you can trivially make a TOTP "authenticator" as a script to use for any service. If you really don't think this provides any extra security, you might push the private key to public GitHub to avoid ever losing it. You'll need to adapt all your verification steps to include a callout to the script, which might be easy or hard depending on the desire.

Now, I would strongly advise against this (and I am deliberately low on details), but if you know what you are doing, nothing can stop you.