Q

How do I synchronize MFA devices for public cloud?

Multifactor authentication helps organizations verify account and user identities in the public cloud. But what do I do when my MFA devices fall out of sync?

Multifactor authentication adds an extra layer of security to verify a user's identity, including in the public...

cloud. While it has its advantages, there can be management challenges, including synchronizing accounts and devices.

When cloud admins first configure multifactor authentication (MFA) for users, MFA devices are loosely related to users' cloud provider accounts. Admins generally enter the device's serial number, along with the first one or two resulting authentication codes produced by the device to initially synchronize the account and device.

However, there is no direct link between MFA devices and the public cloud provider or user account, so MFA devices can potentially fall out of synchronization. This happens if the device is reset or false key presses occur that produce subsequent authentication codes that are never used. If the authentication code falls out of sync, the user cannot log on to the cloud provider account until the MFA is restored.

Cloud providers offer ways to resynchronize MFA devices. Platforms like Amazon Web Services (AWS), for example, use an identity and access management (IAM) service to prompt users to resynchronize an MFA device that no longer provides the expected code sequence. Administrators can then use the AWS IAM console to locate and select the user that needs to be resynchronized, navigate to the Security Credentials tab and select Manage MFA Device. When the MFA wizard starts, select Resynchronize MFA device, and then enter the next two authentication codes produced by the device. When the process is complete, the user should be able to log on to AWS. Resynchronizations can also be initiated through the AWS command-line interface, Windows PowerShell and AWS IAM APIs.

Other public cloud platforms, such as Azure and Google, stress application-based MFA using smartphones to receive authentication messages or codes. In this case, the smartphone typically does not fall out of synchronization because it is receiving its authentication code from an authentication server, rather than simply generating its own code according to an independent algorithm.

MFA devices are not perfect; they can occasionally become lost or require replacement. Unfortunately, admins can only assign one MFA device to a user at a time, so there is no allowance for spare or backup MFA devices. When you must replace an MFA device, use the cloud provider's management console to deactivate the old device first, and then enable a new MFA device for that user according to the cloud provider's documentation.

Next Steps

Compare multifactor authentication products

Are you up to date on authentication methods?

Explore two-factor authentication options

This was last published in November 2016

Dig Deeper on Data security in the cloud

PRO+

Content

Find more PRO+ content and other member only offers, here.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Join the conversation

1 comment

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

Why did you choose a particular provider for managing MFA devices?
Cancel

-ADS BY GOOGLE

SearchServerVirtualization

SearchVMware

SearchVirtualDesktop

SearchAWS

SearchDataCenter

SearchWindowsServer

SearchSOA

SearchCRM

Close