Ask HN: AWS registering MFA will be required in 29 days

7 pointsposted 9 months ago
by herodoturtle

Item id: 41806749

15 Comments

YouWhy

9 months ago

First of all, 2FA is a jolly good idea in terms of preventing account hijackings; relying on email/SMS (texts) introduces multiple hazards that can reverse 2FA's net benefit.

One configuration some people use is the KeePass desktop password manager, which supports storing TOTP seeds and has a nice UX for generating tokens; the password database file may be located as you see fit on a hard drive, DOK, cloud drive etc. Example of TOTP config for KeePass:

https://www.fhtino.it/docs/keepass-totp--intro/

Also, Keepass2Android can be used in similar vein from Android devices. iOS equivalents seem to exist as well.

mooreds

9 months ago

I'd go with number 2 unless you want to buy everyone a hardware token (option number 3).

There are open source solutions (I've used https://2fas.com/ ) and very common solutions (Google Authenticator).

You can even print out the QR code and put it in a secure location (safe, safe deposit box) as a break-glass in case everyone's phones cease functioning.

herodoturtle

9 months ago

We all have the gmail app installed on our phones - is this something we could tap into for Google Authenticator?

Forgive the ignorant questions, as you can tell we're pretty new to this stuff.

Kinda wish we could just use simple email 2FA to be honest!

Thanks for the reply.

mooreds

9 months ago

No worries. Google Authenticator is entirely separate from gmail. I think you there was a sibling comment that linked to the AWS docs.

As far as I know, you don't even have to have a google account to use Google Authenticator in many use cases. (You do if you want to back up your secrets.)

herodoturtle

9 months ago

Ok great thanks for clarifying all that ^_^

xet7

9 months ago

At Linux, I manage local 2FA with Numberstation GUI. It can import export.

sudo apt install numberstation

I manage passwords with KeepassXC

sudo apt install keepassxc

There is also newer version with additional features:

https://github.com/keepassxreboot/keepassxc

herodoturtle

9 months ago

Thank you these are some really helpful tips ^_^

stephenr

9 months ago

Thanks for posting this. I'm going to link back to this whenever anyone claims that using AWS/etc means you don't need any experienced infrastructure/ops people.

As for the actual question: what browser/password manager in 2024 doesn't support both options 1 and 2?

herodoturtle

9 months ago

To answer your question in your second line I'd have to refer back to your first line with a chuckle...

I wish there were a simple step-by-step guide for (example) how to set up MFA in AWS using my browser/password manager. As in, an ELI5 explanation. Gosh that would help demystify this stuff! Not that it's mysterious or anything... but for the uninitiated it's a bit of a steep learning curve!

dotps1

9 months ago

For passkeys, your password manager should prompt you to save them if it supports them.

For the authenticator (TOTP), you just save a QR code where it tells you. Just google "TOTP <your password manager>" and I'm sure you will find a guide

dotps1

9 months ago

Personally I would do all of them.

I would make a passkey and stick it in Bitwarden so I have it with me on all my devices.

I would link my account to my authenticator app.

Then I would also register my yubikey I keep on my keychain.

herodoturtle

9 months ago

It sounds like you have experience with all 3 options, in which case may I ask:

If you had to pick 1, which of the 3 options is the most streamlined / causes you the least amount of hassle?

We're a relatively small dev team (~5 people) if that influences the answer in any way.

Thanks for the tips!

dotps1

9 months ago

Least amount of hassle is probably a passkey in your password manager, if it supports it.

Passkeys are the quickest way to sign in.

Don't use a passkey on your computer, otherwise you will only be able to sign in from that computer.

If you find yourself struggling with passkeys, then the "authenticator" route is next best.

This just gives you a QR code, which you can also store in your password manager and have it generate one time codes.

If you have an authenticator app on your phone, you can rescan that same QR code to have the codes both places. (password manager and authenticator app)

stephenr

9 months ago

> Don't use a passkey on your computer, otherwise you will only be able to sign in from that computer.

This is only true if you don't use a password manager which syncs passkeys.