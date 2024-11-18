Amazon Web Services (AWS) is to widen the scope of a mandatory multi-factor authentication (MFA) programme it introduced earlier this year, after seeing strong uptake among customers and a slump in password-related phishing attacks.

The cloud giant made MFA compulsory for management account root users in the AWS Management Console beginning in May 2024, starting with its largest accounts. In June, it added support for FIDO2 passkeys as an MFA method to give users more options, and expanded the original requirement to include root users in standalone accounts, too.

According to AWS principal product manager of account protection Arynn Crow, over 750,000 root users have enabled MFA since April, with customer registration rates more than doubling since the addition of FIDO2 passkeys to the mix. She claimed the policy change had prevented “greater than 99%” of password-related attacks.

“At AWS, we’ve built our services with secure-by-design principles from day one, including features that set a high bar for our customers’ default security posture,” said Crow. “Strong authentication is a foundational component in overall account security, and the use of MFA is one of the simplest and most effective ways to help prevent unauthorised individuals from gaining access to systems or data.”

Based on this early success, AWS will now be expanding MFA requirements to member accounts in AWS organisations from Spring 2025.

“Customers who have not enabled central management of root access will be required to register MFA for their AWS Organizations member account root users in order to access the AWS Management Console,” said Crow.

“As with our previous expansions to management and standalone accounts, we will roll this change out gradually and notify individual customers who are required to take action in advance, to help customers adhere to the new requirements while minimising impact to their day-to-day operations.”