Ask HN: Panicking about new AWS MFA reqs

1 points by noduerme ↗ HN
I've run dozens of servers/services/DBs on AWS as the root user for years. I will never, ever set up MFA there or anywhere else. I want only email verification through my private email server. No hardware keys to lose, and no cell phone to go missing or have to reload my credentials on (my phones disappear a lot). Suddenly the AWS root login tells me MFA will be required within 6 days through either a hardware key or an authenticator app.

There seems to be no way to get in touch with Amazon about it, so I'm asking here. Anyone else in the same situation?

BTW, Don't tell me just accept it. If you do, you don't get what I'm talking about. I can't get a phone number of who the f** I'd have to talk to there to permanently exempt my account from this req. I've been moving stuff there for 10 years and I'm managing $100k /yr through them at least. Moving verification to an authenticator app or key is MUCH less secure for my living situation.

9 comments

[ 10.6 ms ] story [ 33.6 ms ] thread
> MUCH less secure

I accept that this might be true for your situation today (though I doubt that: apart from someone potentially hacking your mail server, they could also hack into your domain registrar or DNS provider, and MFA would protect you from that, even if you'd have other, bigger problems due to losing your mail), nothing stops you from keeping the security level high (eg. use a long passphrase for your MFA device instead of a simple pin; if it's a phone, encrypt it too...).

I am guessing what you mean is that it would be a lot more inconvenient but not much more secure: it helps to be honest with oneself if you want useful advice.

Otherwise, the only thing you are signing up for is people telling you how you can make it more secure (like I did :)).

So, which is it?

I spend a lot of time traveling internationally. I switch phones a lot. I've had at least 2 stolen, and 2 more lost, in the last 5 years.

• MFA on my phone would mean using Google or some other cloud service's login; if I lose my phone, my MFA is only as good as my Google password (and Google may require its own separate authentication if my phone number changes, meaning I would be unable to get into AWS until that was completed).

• A hardware key can be stolen or lost on the road.

• My email server is in a secure location and the DNS is set up through Cloudflare. So if someone hacked that and rerouted my email, it would be a very bad day for a lot of people.

You could install a command line TOTP app on your email server and get the token via ssh. You're already presuming your email server is up to receive the authentication email, so assuming it's so you can get the token seems neutral.

Eg https://github.com/yitsushi/totp-cli but there are others.

One could even set up an auto-responder email that returns TOTP code: if you include your own password in an incoming email, it returns a new TOTP code.

If you properly set up your mail client and server, it should also be TLS encrypted, so no MITM attack vector either.

I don't use Google Authenticator for TOTP. Instead, I use Aegis which can encrypt private keys and is available in F-droid. It allows offline backup too.

I am perplexed about "as good as my Google password": isn't your email verification as good as one of your registrar password, DNS/Cloudflare password and email password? How is this different?

With hardware key, losing it only matters if you lost the password at the same time: MFA means multiple factors, so that's a password + MFA. If you are referring to a hw passkey, that might be different.

Gaining access to your email server/domain name does not necessarily require Cloudflare to be hacked.

It all sounds like you really are not fully understanding the security risks between different options, and that this is really mostly about you not wanting to lose the convenience you have. Which is fine, but again, you should be honest about that (or might need to better evaluate your security posture).

If it's about convenience and not security, you can trivially make a TOTP "authenticator" as a script to use for any service. If you really don't think this provides any extra security, you might push the private key to public GitHub to avoid ever losing it. You'll need to adapt all your verification steps to include a callout to the script, which might be easy or hard depending on the desire.

Now, I would strongly advise against this (and I am deliberately low on details), but if you know what you are doing, nothing can stop you.

That sounds... way shakier than checking my email when I need to verify.
Sure, but AWS isn’t going to exempt you from their global MFA requirement.
Can't you just use Bitwarden or 1password or similar? They just store your 2FA in the cloud so it's not tied to any device.

It's a hassle for you, but Amazon isn't going to go out of their way for you. $100k is chump change to them...