Using TOTP hardware tokens with AWS MFA
Amazon recommends enabling MFA to increase the security of your AWS environments. Signing in to MFA-protected accounts requires a user name, password, and an authentication code from an MFA device. Currently, AWS supports 3 MFA methods: a virtual MFA device (mobile app like Google Authenticator), U2F keys and pre-enrolled Gemalto keys. As Token2 programmable tokens are acting as drop-in replacements of virtual MFA device, you can use them with AWS MFA as well. The guide below will show how to enroll a Token2 hardware token with your AWS account.
- An AWS account
- A Token2 programmable token (only the second generation tokens are compatible with AWS accounts)
- An Android device with NFC* - this is needed for the enrollment only, subsequent logins will only require the hardware token
- TOKEN2 NFC Burner app* - make sure you have the latest version (at least 2.1). Previous versions of the app do not support longer seeds generated by AWS account 2FA system
[* Windows and iPhone versions are also available, but this guide will use Android as an example]
Activate MFA on your AWS account:
- Log in to your AWS account console and select "My Security Credentials" under your username (top menu on the right)
- On the "Your Security Credentials" page, open MFA section, then click on "Activate MFA", select "Virtual MFA device" as your MFA type and click "Continue"
- On the next window click on "Show QR Code"
- Launch the NFC burner app on your Android device and hit the "QR" button
- Point the camera to the QR code shown on the account page. Upon a successful QR scan, the camera window should disappear
- Turn on the token and touch it with your phone (make sure it is overlapped by the NFC antenna) and click "Connect" on the app
- Upon successful connection, click the "Burn seed" button. If NFC link is established and the code is correctly scanned, you should see a status window showing "Burning..." and eventually (in a second or two), "burn seed successful.." message in the log window
- After completing the burning process, turn the token display off and turn it on again
- Enter the code generated by the token in the MFA Code1 field, then turn the token off. Wait for 30 seconds, turn the token on again, and enter the next generated code in MFA Code 2 field (make sure they are different if they are the same you did not wait long enough), and click on "Assign MFA" button
- The enrollment is now complete
Subscribe to our mailing list
Want to keep up-to-date with the latest Token2 news, projects and events? Join our mailing list!