Supported configurations for using FIDO security keys
You can use WebAuthn as a multi-factor authentication (MFA) method with IAM using currently supported configurations. These include FIDO Certified devices supported by IAM and browsers that support WebAuthn.
FIDO devices supported by Amazon
IAM currently supports FIDO Certified security devices that connect to your devices through USB, Bluetooth, or NFC. We don't support platform authenticators such as TouchID, FaceID, or Windows Hello.
Note
Amazon requires access to the physical USB port on your computer to verify your FIDO Certified device. WebAuthn MFA will not work with a virtual machine, a remote connection, or a browser's incognito mode.
The FIDO Alliance maintains a list of all FIDO Certified products
Browsers that support WebAuthn
The following browsers currently support the use of FIDO Certified security keys:
| macOS 10.15+ | Windows 10 | Linux | |
|---|---|---|---|
| Chrome | Yes | Yes | Yes |
| Safari | Yes | No | No |
| Edge | Yes | Yes | Yes |
| Firefox | Yes | Yes | Yes |
Note
Most Firefox versions that currently support WebAuthn don't enable support by default. For instructions on enabling WebAuthn support in Firefox, see Troubleshooting FIDO security keys.
Browser plugins
Amazon supports only browsers that natively support the FIDO2 WebAuthn standard. Amazon doesn't support using plugins to add FIDO2 WebAuthn browser support. Some browser plugins are incompatible with the FIDO U2F standard and can cause unexpected results with FIDO2 security keys.
For information on disabling browser plugins and other troubleshooting tips, see I can't enable my FIDO security key.
Mobile environments
The following browsers currently support the use of FIDO Certified security keys:
| iOS 14.5+ | Android 7+ | |
|---|---|---|
| Chrome | Yes | Yes |
| Safari | Yes | No |
| Edge | No | No |
| Firefox | Yes | No |
Note
The Amazon Console Mobile App doesn't support using FIDO Certified security keys for MFA.
Device certifications
We capture and assign device-related certifications, such as FIPS validation and FIDO
certification level, only during the registration of a FIDO security key. Your device
certification is retrieved from the FIDO
Alliance Metadata Service (MDS)
Amazon provides the following certification types as condition keys during device registration, obtained from the FIDO MDS: FIPS-140-2, FIPS-140-3, and FIDO certification levels. You have the ability to specify the registration of specific authenticators in their IAM policies, based on your preferred certification type and level. For more information, see the policies below.
Example policies for device certifications
The following use cases show sample policies that allow you to register MFA devices with FIPS certifications.
Topics
- Use case 1: Allow registering only devices that have FIPS-140-2 L2 certifications
- Use case 2: Allow registering devices that have FIPS-140-2 L2 and FIDO L1 certifications
- Use case 3: Allow registering devices that have either FIPS-140-2 L2 or FIPS-140-3 L2 certifications
- Use case 4: Allow registering devices that have FIPS-140-2 L2 certification and support other MFA types like virtual authenticators and hardware TOTP
Use case 1: Allow registering only devices that have FIPS-140-2 L2 certifications
{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": "iam:EnableMFADevice", "Resource": "*", "Condition": { "StringEquals": { "iam:RegisterSecurityKey" : "Create" } } }, { "Effect": "Allow", "Action": "iam:EnableMFADevice", "Resource": "*", "Condition": { "StringEquals": { "iam:RegisterSecurityKey" : "Activate", "iam:FIDO-FIPS-140-2-certification": "L2" } } } ] }
Use case 2: Allow registering devices that have FIPS-140-2 L2 and FIDO L1 certifications
{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": "iam:EnableMFADevice", "Resource": "*", "Condition": { "StringEquals": { "iam:RegisterSecurityKey" : "Create" } } }, { "Effect": "Allow", "Action": "iam:EnableMFADevice", "Resource": "*", "Condition": { "StringEquals": { "iam:RegisterSecurityKey" : "Activate", "iam:FIDO-FIPS-140-2-certification": "L2", "iam:FIDO-certification": "L1" } } } ] }
Use case 3: Allow registering devices that have either FIPS-140-2 L2 or FIPS-140-3 L2 certifications
{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": "iam:EnableMFADevice", "Resource": "*", "Condition": { "StringEquals": { "iam:RegisterSecurityKey" : "Create" } } }, { "Effect": "Allow", "Action": "iam:EnableMFADevice", "Resource": "*", "Condition": { "StringEquals": { "iam:RegisterSecurityKey" : "Activate", "iam:FIDO-FIPS-140-2-certification": "L2" } } }, { "Effect": "Allow", "Action": "iam:EnableMFADevice", "Resource": "*", "Condition": { "StringEquals": { "iam:RegisterSecurityKey" : "Activate", "iam:FIDO-FIPS-140-3-certification": "L2" } } } ] }
Use case 4: Allow registering devices that have FIPS-140-2 L2 certification and support other MFA types like virtual authenticators and hardware TOTP
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "iam:EnableMFADevice", "Resource": "*", "Condition": { "StringEquals": { "iam:RegisterSecurityKey": "Create" } } }, { "Effect": "Allow", "Action": "iam:EnableMFADevice", "Resource": "*", "Condition": { "StringEquals": { "iam:RegisterSecurityKey": "Activate", "iam:FIPS-140-2-certification": "L2" } } }, { "Effect": "Allow", "Action": "iam:EnableMFADevice", "Resource": "*", "Condition": { "Null": { "iam:RegisterSecurityKey": "true" } } } ] }
Amazon CLI and Amazon API
Amazon
supports
using FIDO certified security keys only in the Amazon Web Services Management Console. Using FIDO
Certified
security keys for MFA is not
supported
in the Amazon CLI and Amazon
API
Additional resources
-
For more information on using FIDO Certified security keys in Amazon, see Enabling a FIDO security key (console).
-
For help with troubleshooting FIDO Certified security keys in Amazon, see Troubleshooting FIDO security keys.
-
For general industry information on FIDO2 support, see FIDO2 Project
.