Amazon Web Services (AWS) is expanding its mandatory multi-factor authentication (MFA) program after a noticeable increase in customer participation and a drop in password-related phishing incidents. Since rolling out MFA for root users in May 2024, starting with its largest accounts, AWS has seen impressive results.
In June, the company introduced FIDO2 passkeys as a new MFA option, further encouraging user adoption. According to Arynn Crow, AWS’s principal product manager, over 750,000 root users activated MFA since April, and registrations have more than doubled since adding FIDO2. This policy change has reportedly thwarted over 99% of password-related attacks.
Crow emphasized that AWS designs its services with security as a priority. Strong authentication plays a critical role in protecting accounts, and MFA is one of the most effective methods to keep unauthorized individuals away from systems and data. Given the success so far, AWS plans to extend MFA requirements to member accounts in AWS organizations starting in Spring 2025.
Customers without central management of root access will need to set up MFA for their organization’s member account root users to access the Management Console. AWS will implement this in phases, notifying affected customers in advance to ease the transition and minimize disruption.
On top of boosting MFA usage, AWS aims to tackle the issue of passwords altogether. Crow pointed out that standard password practices often lead to security vulnerabilities and added operational burdens, especially for customers with high security demands. To address this, AWS launched a new feature for central management of root access, simplifying password management while maintaining control over root principals.
Now, customers can enable centralized root access with just a quick adjustment in their management console or via the AWS command line interface, allowing them to eliminate long-term credentials for member account root users. “This will enhance security while reducing operational overhead,” Crow noted.