Ask HN: Panicking about new AWS MFA reqs
I've run dozens of servers/services/DBs on AWS as the root user for years. I will never, ever set up MFA there or anywhere else. I want only email verification through my private email server. No hardware keys to lose, and no cell phone to go missing or have to reload my credentials on (my phones disappear a lot). Suddenly the AWS root login tells me MFA will be required within 6 days through either a hardware key or an authenticator app.
There seems to be no way to get in touch with Amazon about it, so I'm asking here. Anyone else in the same situation?
BTW, Don't tell me just accept it. If you do, you don't get what I'm talking about. I can't get a phone number of who the f** I'd have to talk to there to permanently exempt my account from this req. I've been moving stuff there for 10 years and I'm managing $100k /yr through them at least. Moving verification to an authenticator app or key is MUCH less secure for my living situation.
9 comments
[ 10.6 ms ] story [ 33.6 ms ] threadI accept that this might be true for your situation today (though I doubt that: apart from someone potentially hacking your mail server, they could also hack into your domain registrar or DNS provider, and MFA would protect you from that, even if you'd have other, bigger problems due to losing your mail), nothing stops you from keeping the security level high (eg. use a long passphrase for your MFA device instead of a simple pin; if it's a phone, encrypt it too...).
I am guessing what you mean is that it would be a lot more inconvenient but not much more secure: it helps to be honest with oneself if you want useful advice.
Otherwise, the only thing you are signing up for is people telling you how you can make it more secure (like I did :)).
So, which is it?
• MFA on my phone would mean using Google or some other cloud service's login; if I lose my phone, my MFA is only as good as my Google password (and Google may require its own separate authentication if my phone number changes, meaning I would be unable to get into AWS until that was completed).
• A hardware key can be stolen or lost on the road.
• My email server is in a secure location and the DNS is set up through Cloudflare. So if someone hacked that and rerouted my email, it would be a very bad day for a lot of people.
Eg https://github.com/yitsushi/totp-cli but there are others.
If you properly set up your mail client and server, it should also be TLS encrypted, so no MITM attack vector either.
I am perplexed about "as good as my Google password": isn't your email verification as good as one of your registrar password, DNS/Cloudflare password and email password? How is this different?
With hardware key, losing it only matters if you lost the password at the same time: MFA means multiple factors, so that's a password + MFA. If you are referring to a hw passkey, that might be different.
Gaining access to your email server/domain name does not necessarily require Cloudflare to be hacked.
It all sounds like you really are not fully understanding the security risks between different options, and that this is really mostly about you not wanting to lose the convenience you have. Which is fine, but again, you should be honest about that (or might need to better evaluate your security posture).
Now, I would strongly advise against this (and I am deliberately low on details), but if you know what you are doing, nothing can stop you.
It's a hassle for you, but Amazon isn't going to go out of their way for you. $100k is chump change to them...