Setting up an AWS account > MFA for AWS Accounts > U2F Security Key

U2F Security Key

The following steps require a U2F security key.

Enable U2F security key via Console

U2F is an open authentication standard hosted by the FIDO Alliance. When you enable a U2F key in AWS, the U2F security key creates a new key pair for use with only AWS. First, you enter your credentials. When prompted, you tap the U2F security key, which responds to the authentication challenge issued by AWS.

Sign-in to AWS Console.
In the upper right corner, you’ll see your account name, select and select My Security Credentials.

Note: To manage a U2F security key for your own IAM user while protecting sensitive MFA-related actions, you must have the permissions from the following policy.

In the left bar, select Policies then select Create policy. Select JSON tab and paste the policy document from below:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowManageOwnUserMFA",
            "Effect": "Allow",
            "Action": [
                "iam:DeactivateMFADevice",
                "iam:EnableMFADevice",
                "iam:GetUser",
                "iam:ListMFADevices",
                "iam:ResyncMFADevice"
            ],
            "Resource": "arn:aws:iam::*:user/${aws:username}"
        },
        {
            "Sid": "DenyAllExceptListedIfNoMFA",
            "Effect": "Deny",
            "NotAction": [
                "iam:EnableMFADevice",
                "iam:GetUser",
                "iam:ListMFADevices",
                "iam:ResyncMFADevice"
            ],
            "Resource": "arn:aws:iam::*:user/${aws:username}",
            "Condition": {
                "BoolIfExists": {
                    "aws:MultiFactorAuthPresent": "false"
                }
            }
        }
    ]
}

Select Next: Tags. You’ll be presented with a screen about Tags, a tool used to identify groups of AWS resources.
Select Next: Review. This is a screen that allows you to review the policy that you are creating.
Enter the name of the policy (for example, MFAHardDevice) and select Create policy.

MFA Policy

In the left bar, select Dashboard and then select Enable MFA.

Dashboard

Expand Multi-factor authentication (MFA) and then select Active MFA.

MFA Section

Under Manage MFA Device, select U2F security key then press Continue.
Plug the U2F security key into your computer.

Follow the on-screen prompts to press the U2F security key, and then select Close when U2F is successfully set up.