Username-Password & MFA
Username-Password & MFA

In this course, we shall be looking at how AWS provides many different means of authentication.

Learning Objectives

  • The different methods of authentication that can be implemented when using AWS
  • The difference between username/password and Multi-factor authentication
  • How to configure MFA authentication
  • The process in which programmatic authentication is managed
  • How IAM roles can be used to authenticate and authorize EC2 instances to access resources
  • How Key Pairs are used to authenticate you to newly created EC2 instances
  • The different options available with regards to federated authentication

Intended Audience

  • AWS Administrators
  • Security Engineers
  • Security Architects
  • And anyone who is looking to increase their knowledge of security and authentication within AWS


You should have a basic understanding of AWS IAM and what the service is used for. It would also be advantageous if you had some basic hands-on experience of Amazon EC2, but it is not essential.


To begin with, I want to start talking about the AWS Identity and Access Management service. IAM is used to securely manage users who require access to your AWS account and resources. During the creation of user identities, there are components and features that you can use that affect how these users authenticate. The most basic is that of a simple username and password. These usernames must be unique as they identify you as an individual and therefore can't be duplicated within the same account. The password however can be duplicated between different users. 

For example, you can create 10 new IAM users, and as the administrator issue all of them with the same password. To enforce security at a greater and more granular level, IAM allows you to create and specify your own password policy for your users. This provides you with the opportunity to govern how secure you want your passwords in your environment to be. As you can see in this image, there are a variety of parameters that you can configure to adjust the policy to meet your own security standards and requirements. I would always recommend enforcing a tight security policy and adopting as many as these parameters as possible.

Using a username and password as your authentication mechanism, the username will be used to determine your identity, followed by verification in the form of the associated password, which must conform with your IAM password policy. On submission of the credentials, IAM will then verify if the authentication is successful and if the credentials do not match those held by IAM, access will be refused and you'll be asked to re-enter the correct information. 

If the authentication is successful, then the user will be authorized to access your AWS environment via the management console based on the permissions specified and associated with the IAM user. Just using a username and password for authentication is not generally considered very secure, and additional measures should be put in place, especially for those with elevated privileges. Within your IAM password policy, you might allow users to set their own passwords, and this can lead to the potential of the introduction of standard and weak passwords being entered, such as password in all lowercase, or 123456, qwerty, and letmein.

Although AWS allows you to enforce password policies, combinations of the above weak passwords still make their way in, such as password 123!, which is both upper and lowercase letters along with numeric and non-alphanumeric characters. However, from a security perspective, these common patterns should still be avoided. So, with this in mind, tighter security can be achieved with the use of additional authentication methods, which requires an additional level of authentication. IAM allows for Multi-Factor Authentication, MFA. This means that any user-configured to sign in with MFA must use a second step of authentication after entering the password as the first level to be authenticated, therefore giving a multi-factor layer of security. The additional authentication utilizes a random six-digit number that is generated by an MFA device that is displayed for a very short time period before the number changes again.

You must enter the digits displayed when prompted to verify this final step of authentication. There is no additional charge for this level of authentication, however you will need your own MFA device which can be a physical token or a virtual device. And AWS provides a summary of all supported devices here. Personally, I use Google Authenticator on my phone because it's simple and easy to set up and configure. Before a user can authenticate with MFA, it must be configured and associated with the user. As we know as a part of the authentication process, we need to ensure that the verification part conforms the identity of the user. This configuration and association is done from within IAM. 

And I will now show you how quick and easy this is to do via a quick demonstration. So, as you can see I've signed into my AWS Management Console and I'm within the AWS IAM dashboard. I've selected one of my users and then this is the screen I'm presented with from there. As you can see, we can manage the MFA device here. So, if I click on 'Manage MFA' for this user. We have a couple of options here: Virtual MFA device, U2F security key, or another hardware MFA device.

For this, I'm just going to use a virtual MFA device, and I'll use the Google Authenticator app on my phone to do this, so click on 'Continue.' So, first of all, you need to make sure you have an app on your mobile phone or your computer. Like I said, I'm going to use the Google Authenticator app on my phone. So, what I need to do is to show the QR code. And now on my phone I'm going to add this as a new entry in my Google Authenticator app, so I'm going to click on 'Scan QR Code.' And then we can see at the bottom there is added the user, Patricia. 

And then, we add in that code, so 074720. And then what we need to do is to add the second code that comes in when it appears on the Google Authenticator app. So, we just wait for that to come around then I can add in the second code, and then it will be synchronized and configured. So, this is about to change. And now I can add in the next code, 185887. And then, I click on 'Assign MFA.' And that's it. So, you have successfully assigned a virtual MFA device to that user. Click on 'Close,' and now we can see here that there's an assigned MFA device.


About the Author
Learning Paths

Stuart has been working within the IT industry for two decades covering a huge range of topic areas and technologies, from data center and network infrastructure design, to cloud architecture and implementation.

To date, Stuart has created 150+ courses relating to Cloud reaching over 180,000 students, mostly within the AWS category and with a heavy focus on security and compliance.

Stuart is a member of the AWS Community Builders Program for his contributions towards AWS.

He is AWS certified and accredited in addition to being a published author covering topics across the AWS landscape.

In January 2016 Stuart was awarded ‘Expert of the Year Award 2015’ from Experts Exchange for his knowledge share within cloud services to the community.

Stuart enjoys writing about cloud technologies and you will find many of his articles within our blog pages.