This new capability is available when using AWS SSO or Microsoft Active Directory as your identity source. It extends the existing MFA functionality of AWS SSO to help you enable the best protection for your users that meets your organization’s usability, security, and compliance needs. In addition to the currently supported MFA capabilities of one-time password (OTP) applications and RADIUS authenticators, AWS SSO now offers complete standards-based strong authentication capabilities to all your users across all identity sources, now including native AWS SSO users and users from your connected Microsoft Active Directory.
You can use any supported AWS SSO MFA methods, now including FIDO-compatible security keys and built-in authenticators, to harden access centrally to multiple AWS accounts, including access to AWS Management Console and AWS CLI. Your users can register and manage additional hardware security keys and built-in authenticators in the AWS SSO User Portal, to prevent productivity loss in case of a lost or damaged MFA device. To learn more, see the AWS SSO User Guide.
It is easy to get started with AWS SSO. With just a few clicks in the AWS SSO management console you can create users in AWS SSO or connect your existing identity source, configure MFA to secure access to all of your AWS Organizations accounts and hundreds of pre-integrated cloud applications, and provide your users simple access through a single user portal. To learn more, please visit AWS Single Sign-On.
There is no cost for AWS SSO, and it is available in the US East (N. Virginia), US East (Ohio), US West (Oregon), Canada (Central), Asia Pacific (Singapore), Asia Pacific (Sydney), Asia Pacific (Seoul), Asia Pacific (Tokyo), Asia Pacific (Mumbai), EU (Ireland), EU (Frankfurt), EU (London), and EU (Stockholm) Regions.