Making AWS Console Passwordless

Ajit Hatti June 25, 2020 Passwordless

In this blog, we are going to discuss one of the many (and we mean MANY) use cases of our passwordless authentication platform - PureAuth. 

We are working with a number of organisations that use AWS services. For contingency and serviceability reasons, the organisations share the access to AWS console with multiple admins. However, this is posing a big governance and compliance issue along with the conventional risks of shared accounts.

Problems with Shared accounts

Problems with Shared accounts

Shared accounts have been a widely accepted practice to assure serviceability. This convenience comes with a compromise on security and compliance.

In this writeup - The use and administration of shared accounts, SANS highlights the problem of managing passwords for shared accounts.

TL;DR Proper coordination is needed to change passwords periodically or on adhoc basis and every time an admin is moving in or out.

Sharing a secret with multiple people increases the risk of (accidental) leakage of the information and conventional approach to secure password with additional factor (MFA/2FA or OTP) fails for a shared account.

PureAUTH Solution

A simple SAML 2.0 integration of PureAUTH with AWS Console makes shared access passwordless and secure. PureAUTH helps  govern shared accounts better by maintaining strict mapping and accountability of each authentication instance. Our robust user on-boarding process allows an enterprise fine grain control to audit, manage and revoke access of their users as needed.

SAML Integration with PureAuth (behind the scene)

PureAUTH provides Proof-of-Association based authentication to any application over simple SAML 2.0 integration.  We use the same interface to make AWS console login passwordless.

Our Patented Proof-of-Association based authentication assures better accountability and attribution even for shared accounts.

SAML Integration with PureAuth
SAML Integration of AWS Console with PureAUTH

Authorization & Roles restriction 

AWS lets’ users choose their role at the time of login. PureAUTH also provides an optional facility to preselect the roles based on the entitlement of the user.

Passwordless Access

The video below demonstrates passwordless access to AWS Console with PureAUTH platform. Here you can see a user getting authenticated to AWS Console with his valid profile contained in VR5 app on his phone.

Conclusion

Going passwordless reduces risk and helps you to better comply & govern access to your crown jewels.

PureAUTH offers similar passwordless integrations for Google Cloud Platform, Azure, IBM Cloud and many more. Please get in touch with us for a free demo.

Share the post    
Previous Post
Passwords are at the foundation of security and access control ever since humans felt the need of securing resources and access to it. Passwords have been used and abused since millennium and the best documented example of this is “Open Sesame”.  The surprising fact is even after millennium passwords are ubiquitous, and mean anything but […]
Read More...
In the recent news by TechSpot.com we have learnt that Google was ‘forced’ again, this time by Evina Research group, to remove 25 credential stealing apps from its Android play store with 2.34 Million combined installations. Out of the 25 listed applications, PureID Security Team analysed few, to learn modus-operandi of these apps. Abstract of […]
Read More...