5

I asked AWS:

  1. How do I recover access to AWS Account in case I lost device with Google Authenticator installed?
  2. In case my email was hacked, what will prevent hacker from removing MFA?

Their answer essentially was:

https://aws.amazon.com/forms/aws-mfa-support

When you fill up the form, there is specialized team (Not from Premium Support) will contact you via phone ONLY within 15 minutes to verify your identity and ownership of this account. They have a very strict procedures to be followed before removing MFA from the root account. Any incorrect answer for their questions will result rejecting this request and ending the phone call.

Since I need to know how verification process works in order to protect information required, I asked for more details. After some back and forth their final answer was:

We know customers care deeply about privacy and data security, and that’s why our customers retain control of what security they choose to implement to protect their own content, platform, applications, systems and networks, no differently than they would for applications in an on-site datacenter. Disclosing our processes violate our privacy and security policies.We encourage you to refer to resources on the AWS Site for best practices in securing your account, as provided earlier, including the AWS Security Blog: https://aws.amazon.com/blogs/security/

Thank you for your understanding.

Why don't they make verification process transparent, otherwise isn't it some kind of security through obscurity?

What can I do to make sure I don't get locked out of my AWS root account?

How to make sure that hacker who broke first layer of authentication is not able to reset MFA?

Oleg M
  • 251
  • 1
  • 4

2 Answers2

2

AWS already answered your question about transparency

Disclosing our processes violate our privacy and security policies.

To avoid being locked out of your root account, backup your two factor authentication tokens. This will be specific to the solution you use.

If you use the Authy app for two factor authentication it can backup your two factor logins, as well as make them available on multiple devices. Authy is protected by a password.

Regarding your question "How to make sure that hacker who broke first layer of authentication is not able to reset MFA?"

Two factor authentication means the hacker can't access your website without your phone or token, or in the case of Authy, without the authy account details. This is the whole point of 2FA - something you know (password) and something you have (token).

Tim
  • 245
  • 1
  • 7
0

When you fill up the form, there is specialized team (Not from Premium Support) will contact you via phone ONLY within 15 minutes to verify your identity and ownership of this account. They have a very strict procedures to be followed before removing MFA from the root account. Any incorrect answer for their questions will result rejecting this request and ending the phone call.

The grammatical errors in this quote make me wonder exactly who gave you that answer. I'm confident that the amazon webpage about recovery of your MFA states a better quote:

Please tell us about the problem you are experiencing with your MFA device and provide the phone number we can use to reach you. We will call you within 15 minutes of your request for assistance.

And spelling mistakes are sometimes good indicators.

Nevertheless,

Why don't they make verification process transparent, otherwise isn't it some kind of security through obscurity?

The answer to that should really be "why not?". It could be security through obscurity but it most likely is a process that is changing too quickly to document it extensively. In other words, AWS is still working on the process by which an MFA can be recovered, and documenting it would just give more work to keep documenting every change.

(I'm often in touch with a pentest team on AWS (inside a pub on fridays most of the time but that still counts) and can guess that the laater is much more likely.)

What can I do to make sure I don't get locked out of my AWS root account?

On the same page you see a form to request from AWS admins, who will talk to you and verify your identity. If they succeed in checking your identity (i.e. you succeed in proving that you are yourself) they will redirect one part of the multi-factor auth.

How to make sure that hacker who broke first layer of authentication is not able to reset MFA?

Assuming that a hacker who broke through the first part of the MFA would report your device as stolen, the first thing an AWS admin/operator would do would be to call the device. If you answer the device then it is a question whether you are more capable of proving that you're yourself or a hacker is able to prove that he is you. That may seem something easy for a hacker to go through but that is not that easy, after all:

  • For how long do you have your AWS account?
  • How often do you log in to the web interface?
  • How many EC-2 machines are currently running on this account?
  • ...

So yeah, as @Tim said already, that's the whole point of MFA: something you know plus something you have. This, extended to more things you may know/not have (e.g. the "stolen" device that was reported) can make for a good identification.

Moreover, if the AWS account is very important (e.g. you are the main admin of the IAM for your organization) you can choose and MFA option with hardware provided by amazon. It then becomes a 3 factor auth: password, smartphone with app and a key fob. If you manage to lose the smartphone and the key fob at the same time you must be particularly unlucky.

Community
  • 1
grochmal
  • 5,677
  • 2
  • 19
  • 30