Increase AWS Single Sign-On security with multi-factor authentication using authenticator apps

Posted on: Oct 25, 2019

AWS Single Sign-on (AWS SSO) now enables you to increase security by enabling multi-factor authentication (MFA) with authenticator applications, such as Authy and Google Authenticator that generate time-based one-time passcodes (TOTP). You can now configure AWS SSO to require users to enter an authenticator-generated TOTP code in addition to their password. MFA improves security by requiring people to know something (their password) and have something (their authenticator) before they can sign in.

Administrators can enroll, remove, and view TOTP authenticators for each of their users within the AWS SSO administrator portal. Alternatively, administrators can enable users to self-enroll within the user portal to speed up the enrollment process and reduce user friction.

Administrators can also enable context-aware mode, allowing users to easily sign-in with their username and password for most logins, but are prompted for TOTP generated passcodes only when their sign-in context changes, such as an unknown device or location. For increased security or compliance requirements, you can choose always-on mode to prompt for TOTP generated passcodes at every sign-in.

For more information on how to enable these additional security features within your AWS SSO environment, see the AWS SSO - Enable Multi-Factor Authentication documentation.