AWS was the first cloud provider to make multi-factor authentication (MFA) mandatory for accounts with root access in 2023. This requirement has now been extended to full coverage: root users can no longer log in with just their username and password.
Some familiar words of wisdom among cyber experts: attackers don’t hack in these days, they log in. This makes the basic requirement to set up MFA more important than ever. The major cloud players have realized this, and AWS was the first to understand that root users had to be required to do so. Google Cloud and Microsoft Azure followed suit.
Mission accomplished?
MFA is not foolproof, but it significantly increases the level of protection. A confirmation code sent to an external device can still be stolen by attackers, for example by compromising another account in advance or through social engineering. Also, MFA is currently only guaranteed for root users; all other accounts can still be compromised without additional authentication steps.
Nevertheless, AWS does not stop at MFA. IAM Access Analyzer shows IT administrators who within an organization has access to critical resources, allowing any security gaps to be closed. AWS Security Hub also receives more signals than ever before, making vulnerable instances or accounts easier to detect. It therefore remains important to view security as a layered approach, with MFA as only the first (albeit important) line of defense.
Good example
The reality is that MFA has been known to the general public for about two decades. Certainly since the popularization of the smartphone, the technology could have been implemented for every important account in the world. However, adopting a security method requires a mixture of conviction and obligation. That is why AWS chose to roll out mandatory MFA adoption gradually. First, MFA became mandatory for AWS Organizations management for account root users in May 2024, followed by standalone account root users a month later, and then centralized root access management for AWS Organizations in November last year.
It appears that Google not only wanted to copy this roadmap, but also to surpass it. Some accounts within Google Cloud will be required to use MFA sooner than AWS. This indicates that this form of security has gradually become more than a customer decision, but a basic requirement for using the cloud platform. This is a good thing and relatively rare. Making security a competitive advantage requires some awareness of the consequences of not adhering to the best security standards. Although MFA alone is not enough, we are one step closer to a healthy security landscape in the cloud.
Read also: Amazon finally brings MFA to its WorkMail email service