0

To secure AWS account it is good to have virtual MFA device, such as Google Authenticator.

Usually, you can just take a picture of the QR code, and use it on as many devices as you want (as here suggested https://webapps.stackexchange.com/a/66666/188445, sorry, couldn't comment on that answer, don't have the reputation).

However, on AWS it asks two codes to confirm, that makes me think it is device specific. Is any way to make an AWS MFA on two devices or use backup if lose my phone?

lebed2045
  • 308
  • 4
  • 14
  • 2
    Two things: 1) don't use your root account and 2) if you want a backup MFA option then simply create two IAM users (alex and alex-backup perhaps) in the same IAM group and then configure MFA independently for each IAM user. Also see https://stackoverflow.com/questions/19723585/how-to-add-more-devices-to-aws-root-account-mfa – jarmod Jun 08 '18 at 20:24
  • Check out Authy for both Multi-Device MFA and for secure MFA backups. https://authy.com/blog/multi-multi-factor-authentication/ – Rodrigo M Jun 09 '18 at 02:56

1 Answers1

2

First, I'll be that guy and say - don't backup your MFA key. If you lose your device, just jump through the steps of resetting it by contacting support.

While it doesn't necessarily defeat the purpose of increasing the security, and while it's also probably not likely that someone will attempt to steal your key, I don't think you're doing yourself any favors, security-wise.

But that's not what you're asking about.

When you say "on AWS it asks two codes to confirm, that makes me think it is device specific," I'm not sure I follow. Yes, it's device specific, in that you need the specific device that either scanned the QR code, or entered the key in, in order to auth via MFA.

But just because there are two fields, it doesn't mean that there are two different QR codes or MFA keys you need - you just need the one they show you.

After you set up your authenticator, you enter the first code you see into the first field, then wait for that to cycle out, then enter the next one into the second field. Asking for two codes just ensures that your authenticator is working correctly. It's not any different that other services that use an authenticator as MFA - some only ask for the first code that appears, some ask for two. (Personally I think two is better.)

thisAaronMdev
  • 132
  • 7
  • thanks, so it means I can print this QR code, and if I lost my phone, I can use this printed QR to set up another Google Authenticator to log in and change credentials? – lebed2045 Jun 12 '18 at 04:04
  • 1
    @lebed2045 yes, though if you ARE going to back it up, may as well and backup the MFA secret key too, just so you have both. Then, if for whatever reason your device's camera isn't working with the QR code, then you can still type the secret key into your device. – thisAaronMdev Jun 12 '18 at 06:47