User authentication is a critical part of any company's security strategy, ensuring only authorized users can access valuable data and resources. Organizations are increasingly using additional methods of authentication, beyond user names and passwords, to confirm user identities.
Multifactor authentication (MFA) merges traditional login credentials with a code derived from a physical device in the authorized user's possession. MFA extends to public clouds where unauthorized users could disrupt vital applications and impose enormous cloud expenses. Public cloud providers, including Amazon Web Services (AWS), Microsoft Azure and Google Cloud Platform, provide MFA as a second layer of authentication for cloud access.
Where do MFA codes come from?
Unlike other methods of authentication, MFA involves a special authentication code that is provided through a physical or virtual device. If users know both the login credentials for an account, and have the device providing an authentication code, then it's more likely that user's identity will be true.
A range of sources can generate MFA codes, but the most common is a smartphone or tablet running an MFA app to create a virtual MFA device. The user logs on and the MFA app supplies the authentication code on the smartphone or other mobile device. Mobile devices running Android operating systems can use apps like Google Authenticator or Authy 2-Factor Authentication, while Blackberry and Apple iPhone or iPad devices could use Google Authenticator.
Other types of MFA devices
Other popular MFA devices include the key fob or display card. A key fob is a wireless device that produces a unique and nonreusable password that serves as the authentication code. A display card, which resembles a credit card with a small display, also produces one-time passwords for MFA use.
Organizations need to assign the MFA device to the root account or an individual identity and access management (IAM) user account. During login, the MFA device provides a six-digit numeric code based on the time-based one-time password algorithm standard. Users enter the authentication code along with regular credentials, or pass it to a cloud provider through the provider's API.
AWS, Google Cloud Platform and Microsoft Azure support most methods of authentication, including MFA. To choose an MFA technology, evaluate your business needs. For example, organizations that embrace BYOD architectures might implement a virtual device scheme using appropriate apps on each respective user's mobile device. More stringent organizations might provide fobs to key users or administrators.
How do I enable different types of MFA devices?
Public cloud providers generally make it easy to implement various types of MFA devices. The goal is to enable MFA for the user account and link the MFA device with that account.
Virtual MFA devices generally run an app on a mobile device. For a cloud provider like AWS, administrators can enable virtual MFA for a user by logging on to the IAM console, locating the user, selecting the Security Credentials tab and choosing Manage MFA Device. This starts a wizard that lets administrators select a virtual MFA device. The AWS wizard produces a QR code that represents a secret key. The mobile device and app can scan the QR code to receive the key and link the device and IAM account. If the device does not support QR code scanning, the secret key can be shown and entered manually.
Hardware MFA devices, like key fobs and display cards, follow a similar technique. A wizard lets administrators select "hardware MFA device." Then, they enter the serial number of the hardware device to identify it to AWS. The hardware MFA device then produces authentication codes for AWS user accounts.
In either case, administrators may need to complete the MFA device setup process by entering one or two authentication codes from the device. This is used to verify the functionality of the new virtual or hardware MFA device before it is certified to work with the AWS account.
The process is similar for other cloud providers. For example, administrators using Microsoft Azure can log in to Azure portal, select Active Directory, choose users for MFA, and then click Manage Multi-Factor Auth to open a new browser tab. Select each user to enable MFA, click Enable, and then click enable multi-factor auth. The users' MFA state will change from disabled to enabled.
How do I manage MFA devices for public cloud?
There are circumstances where admins need to deactivate an enabled MFA device. For example, if a user leaves the company or is removed from the cloud provider's account, the related MFA device must be disabled before the user can be fully removed. In other cases, the MFA device may be disabled temporarily if MFA proves problematic or burdensome. Admins will also need to deactivate MFA devices before placing new MFA devices into service.
Generally, administrators will first use the public cloud provider's management tools to verify the status of a user's MFA device. For example, AWS administrators can use the IAM console to select any user for a status check. When an administrator finds an MFA device that must be disabled, administrators can then use the provider's tools to handle those tasks. After the device is disabled, in the case of AWS, it cannot be used again until it is reactivated and reassociated with an AWS account.
MFA is one of the most popular methods of authentication in the enterprise. But, despite its benefits, MFA imposes additional setup and management issues for cloud administrators. Consequently, organizations typically employ MFA for a limited number of privileged users, such as administrators, with broad access to public cloud resources.
Consider your requirements for IAM
Explore business case scenarios for MFA
Should you choose 2FA or MFA?