Ryan, thank you so much for that tip about taking a photo of the QR code and storing it off for use later!! I’ve had to call AWS support more than once either when my phone lost its mind or when I upgraded phones. 🙂
5 Answers
Even better: Click the link under the QR code, get the code, store the code in your password manager. No photos needed, and easier to manage with copy-paste.
You ARE using a password manager, right? Right? RIGHT?
Actually I’d prefer to trust AWS over a password manager, but I’m always willing to listen to recommendations. 🙂 Do you have one that you particularly like?
You probably have more accounts than just AWS. 🙂 My personal recommendation is Lastpass.
if you are on Android, you can use Authenticator+, it cost a couple of bucks but it lets you sync all of your MFA to other devices… and restore if the device is lost. (this is pretty awesome if you have over 100 MFA codes…)
I store a few of my MFA codes in 1Password, but I feel like if my MFA and PW are in the same storage then I’m less secure, so I like having them firewalled.
Ahhh, you would be referring to this one: https://play.google.com/store/apps/details?id=com.mufri.authenticatorplus&hl=en by Mufri? Seems to be very well rated, I’ll have to check it out. There’s another app for iPhone/iPad called Authenticator that looks interesting too: https://itunes.apple.com/us/app/authenticator/id766157276?mt=8
FYI, there is an Auth+ for IOS, but I have failed to get the 2 to sync… could be user error…
I’d recommend (and actively promote within my company) using Authy – multiplatform, so Android/iPhone users are happy, as well as Chrome plugin. Also allows you to have your MFA tokens across multiple devices if you choose, as well as the ability to backup (encrypted) and restore on new devices if you lose your phone.
To be clear: If you scan the code, you are storing the MFA secret on your device. If the device is compromised, the game is over. Saving it also in encrypted form on the same device doesn’t really increase risk.
You could put the QR code into Stocard too 😀
From the security point of view, I don’t recommend the option of store the QR code (or string code), is another management/security headache.
AWS provides a process to access in case of MFA problem (I tested a few months ago).
What If an MFA Device Is Lost or Stops Working? http://amzn.to/2GZMt5D (URL edited, doesn’t works the long one)
Basically, using this process bypass the MFA, doesn’t disable the current MFA (you need to do it manually after access to the account and change it).
I agree with you. We’ve had to do it and while it’s not fast, its better than having backups. We had the misfortune of having an employee leave on bad terms. If we’d had a backup, we would have the change the MFA for over 400 accounts (we are the admin team for all those accounts). As it stands, all we had to do was revoke his access. We store our MFAs for the root accounts on a single device stored in safe on our office floor that requires 2 people to open (each person with 1/2 the code). We changed the half that matched his (standard procedure) and we were done.
IMO, storing the QR image or the code, while it can be done more or less secure, the fact that is available is a risk anyways, specially if you put in your password manager, that probably, also manages your root account password :-). Just sync the MFA to your phone and another trusted team member at the same time.
Just hope no one else ever gets a copy of the picture 🙂
🙂 If you’re going to follow Ryan’s advise about storing it on S3, make sure you watch the sections on securing S3 buckets! 😉
Oh, there will definitely be a very specific bucket policy on that one. 😉