MFA (Multi-Factor Authentication)
💡 Definition
Multi-Factor Authentication (MFA) is a security feature that requires users to provide two or more verification factors to gain access to a resource. It adds an extra layer of security beyond just a username and password.
🔑 Key Concepts
- Something You Know: Your password (or PIN).
- Something You Have: A physical device (e.g., hardware token, phone with an authenticator app, YubiKey).
- Something You Are: Biometric data (e.g., fingerprint, facial recognition).
- Virtual MFA Device: Authenticator apps (e.g., Google Authenticator, Authy) on a smartphone.
- Hardware MFA Device: A physical token that generates codes.
⚙️ How it Works
When a user attempts to log in, after providing their password (something they know), they are prompted to enter a code generated by their MFA device (something they have). This combined authentication provides much stronger security.
🎯 Use Cases
- Securing the Root User: Highly recommended for the AWS account Root User.
- Protecting IAM Users: Enforcing MFA for users with administrative privileges or access to sensitive data.
- Compliance: Many security best practices and compliance frameworks (like PCI DSS) require MFA.
💰 Pricing Model
- Virtual MFA: Free (using smartphone apps).
- Hardware MFA: You purchase the physical device.
📝 Exam Tips (CLF-C02)
- Crucial for the Root User of your AWS account.
- Adds extra security against unauthorized access.
- An IAM Best Practice.