Ask HN: AWS registering MFA will be required in 29 days
6 pointsby herodoturtlea day ago5 comments
  • YouWhy11 hours ago
    First of all, 2FA is a jolly good idea in terms of preventing account hijackings; relying on email/SMS (texts) introduces multiple hazards that can reverse 2FA's net benefit.

    One configuration some people use is the KeePass desktop password manager, which supports storing TOTP seeds and has a nice UX for generating tokens; the password database file may be located as you see fit on a hard drive, DOK, cloud drive etc. Example of TOTP config for KeePass:

    https://www.fhtino.it/docs/keepass-totp--intro/

    Also, Keepass2Android can be used in similar vein from Android devices. iOS equivalents seem to exist as well.

  • xet72 hours ago
    At Linux, I manage local 2FA with Numberstation GUI. It can import export.

    sudo apt install numberstation

    I manage passwords with KeepassXC

    sudo apt install keepassxc

    There is also newer version with additional features:

    https://github.com/keepassxreboot/keepassxc

  • mooreds16 hours ago
    I'd go with number 2 unless you want to buy everyone a hardware token (option number 3).

    There are open source solutions (I've used https://2fas.com/ ) and very common solutions (Google Authenticator).

    You can even print out the QR code and put it in a secure location (safe, safe deposit box) as a break-glass in case everyone's phones cease functioning.

    • herodoturtle15 hours ago
      We all have the gmail app installed on our phones - is this something we could tap into for Google Authenticator?

      Forgive the ignorant questions, as you can tell we're pretty new to this stuff.

      Kinda wish we could just use simple email 2FA to be honest!

      Thanks for the reply.

      • dcminter15 hours ago
        I use Google's Authenticator for this - you should be fine with that.

        https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credenti...

      • mooreds11 hours ago
        No worries. Google Authenticator is entirely separate from gmail. I think you there was a sibling comment that linked to the AWS docs.

        As far as I know, you don't even have to have a google account to use Google Authenticator in many use cases. (You do if you want to back up your secrets.)

  • dotps114 hours ago
    Personally I would do all of them.

    I would make a passkey and stick it in Bitwarden so I have it with me on all my devices.

    I would link my account to my authenticator app.

    Then I would also register my yubikey I keep on my keychain.

    • herodoturtle11 hours ago
      It sounds like you have experience with all 3 options, in which case may I ask:

      If you had to pick 1, which of the 3 options is the most streamlined / causes you the least amount of hassle?

      We're a relatively small dev team (~5 people) if that influences the answer in any way.

      Thanks for the tips!

      • dotps15 hours ago
        Least amount of hassle is probably a passkey in your password manager, if it supports it.

        Passkeys are the quickest way to sign in.

        Don't use a passkey on your computer, otherwise you will only be able to sign in from that computer.

        If you find yourself struggling with passkeys, then the "authenticator" route is next best.

        This just gives you a QR code, which you can also store in your password manager and have it generate one time codes.

        If you have an authenticator app on your phone, you can rescan that same QR code to have the codes both places. (password manager and authenticator app)

  • stephenr11 hours ago
    Thanks for posting this. I'm going to link back to this whenever anyone claims that using AWS/etc means you don't need any experienced infrastructure/ops people.

    As for the actual question: what browser/password manager in 2024 doesn't support both options 1 and 2?

    • herodoturtle11 hours ago
      To answer your question in your second line I'd have to refer back to your first line with a chuckle...

      I wish there were a simple step-by-step guide for (example) how to set up MFA in AWS using my browser/password manager. As in, an ELI5 explanation. Gosh that would help demystify this stuff! Not that it's mysterious or anything... but for the uninitiated it's a bit of a steep learning curve!

      • dotps15 hours ago
        For passkeys, your password manager should prompt you to save them if it supports them.

        For the authenticator (TOTP), you just save a QR code where it tells you. Just google "TOTP <your password manager>" and I'm sure you will find a guide