undefined | Better HN

0 pointsjorvi7mo ago0 comments

You don't put the temporary credentials behind FIDO because they're temporary anyway. You put FIDO on the main account that has the privilege to generate the temporary credentials.

So in the off chance that you get a phishing mail, you generate temporary credentials to take whatever actions it wants, attempt to log in with those credentials, get phished, but they only have access to API for 900s (or whatever you put as the timeout, 900s is just the minimum).

900s won't stop them from running amok, but it caps the amok at 900s.

0 comments

akerl_7mo ago

You aren't grokking what I'm saying. AWS does not allow FIDO2 as an MFA method for API calls.

So if your MFA device for your main account is a FIDO2 device, you either:

1. Don't require MFA to generate temporary credentials. Congrats, your MFA is now basically theater.

2. Do require MFA to generate temporary credentials. Congrats, the only way to generate temporary credentials is to instead use a non-FIDO MFA device on the main account.

Nobody is getting a phishing email, going to the terminal, generating STS credentials, and then feeding those into the phish. The phish is punting them to a fake AWS webpage. Temporary credentials are a mitigation for session token theft, not for phishing.

computerfriend7mo ago

I think you're not grokking it.

Require FIDO2-based MFA to log into AWS via Identity Center, then run aws sso login to generate temporary credentials which will be granted only if the user can pass the FIDO2 challenge.

The literal API calls aren't requesting a FIDO2 challenge each time, just like the console doesn't require it for every action. It's session based.

akerl_7mo ago

I definitely wasn’t grokking that, because the prior commenter never mentioned AWS Identity Center, and instead linked to STS, which works how I described (you can’t use FIDO MFA for the authentication of the call that gives you your short-lived session creds).

I’m excited to see that Identity Center supports FIDO2 for this use case.

1 more reply

j / k navigate · click thread line to collapse

0 comments

akerl_7mo ago

You aren't grokking what I'm saying. AWS does not allow FIDO2 as an MFA method for API calls.

So if your MFA device for your main account is a FIDO2 device, you either:

1. Don't require MFA to generate temporary credentials. Congrats, your MFA is now basically theater.

2. Do require MFA to generate temporary credentials. Congrats, the only way to generate temporary credentials is to instead use a non-FIDO MFA device on the main account.

computerfriend7mo ago

I think you're not grokking it.

Require FIDO2-based MFA to log into AWS via Identity Center, then run aws sso login to generate temporary credentials which will be granted only if the user can pass the FIDO2 challenge.

The literal API calls aren't requesting a FIDO2 challenge each time, just like the console doesn't require it for every action. It's session based.

akerl_7mo ago

I’m excited to see that Identity Center supports FIDO2 for this use case.

1 more reply

j / k navigate · click thread line to collapse