How To Get AWS MFA Device Serial Number

[Jeeppler]

Amazon Web Services (AWS) requires a device serial number to be able to use their Multi-Factor Authentication (MFA) with a hardware device (AWS calls it: Hardware MFA Device). I would like to use the Nitrokey Storage as a Hardware MFA Device in AWS. AWS accepts only serial numbers which are at least 9 and maximal 255 characters long. The serial number shown in the Nitrokey App is only 8 characters long. How do I get the serial number for the nitrokey storage device which I can use with AWS?

• Application version: 1.2
• Operating system: Fedora 27 64 bit (Linux)
• Device model and firmware version: Storage v0.8

[szszszsz]

Hi! Please check device model and firmware version.

[szszszsz]

Additional 0 prefix could be added to the serial number to solve this. This would be a fix on the App side - on hardware it still will be stored as 8-digit number. Would that work for you?

[Jeeppler]

After adding an additional 0 prefix I got the following error:

We encountered the following errors while processing your request:
MFA Device with serial number 00000xxxx doesn't exist.

[szszszsz]

Perhaps you must to register the device within the service first? I do not know AWS/MFA system, so I could not help with the details. Alternatively you can try the 'software' method (the one with Google Authenticator mentioned) and write the displayed secret to the device anyway.

[Jeeppler]

@szszszsz I was trying to find a way to register the device. However, I could not find any resources until now. I will keep looking, but was hoping somebody else has maybe a hint.

[szszszsz]

I see. Looking at https://aws.amazon.com/iam/details/mfa/, it seems like Virtual MFA Device should work with any TOTP-compatible device. Have you tried this?

Perhaps MFA Device is some Amazon's solution, where serial numbers are tracked to counter spoofing. But again, I do not know more than one could from briefly looking at the mentioned site and the error message you have supplied.

[Jeeppler]

The Virtual MFA Device will require you to scan a bar code.

The question is could Nitrokey add the serial numbers into the AWS database?

[szszszsz]

Besides the bar code there should be a base32 secret string somewhere. I think it would be best to ask AWS support, how to add own TOTP compliant device.

[Jeeppler]

Yes, you are right I can find the base32 secret if I click on the Hide secret configuration key link (dropdown).

However, if I try to copy and paste the base32 secret into Nitorkey-App, I get the following error message: "Entered OTP 'Secret Key' string is longer than supported by this device".

[szszszsz]

You probably want to use 320-bit secret, as in https://github.com/Nitrokey/nitrokey-app/issues/26. If this is a Storage device, then it is not supported yet (it stores up to 160 bits), but the work is in progress. Pro v0.8 already works with 320 bit secrets. Please follow https://github.com/Nitrokey/nitrokey-storage-firmware/issues/23 for updates.

[Jeeppler]

Yes, that is what I want to do. Thank you for confirming that it currently does not work.

[szszszsz]

Closing due to being solved indirectly.

[Jeeppler]

@szszszsz could you please elaborate on how this is solved indirectly?

[alex-nitrokey]

It is an issue of its own in storage firmware, therefore it does not make sense to keep it open here.

[szszszsz]

@Jeeppler Sorry if that sounded inappropriate! Original issue was about handling the device as an Amazon Hardware MFA Device. We had established that it is not possible due to device's serial number not being registered in Amazon's system and I have suggested to use Amazon's software token (Virtual MFA device), where it gives the TOTP secret and to this I was referring while closing the issue. Sadly it turned out it will not work with your device due to its current firmware limitations, but this is not an issue of the Nitrokey App itself (which supports Amazon's 320 bits secrets) and after a redirection to the actual cause, this issue should be closed (as @alex-nitrokey pointed out to prevent duplication).

[Jeeppler]

@szszszsz thanks for the explanation.

[szszszsz]

Just FYI: latest Nitrokey Storage is handling 320 bits of OTP secret: https://github.com/Nitrokey/nitrokey-storage-firmware/releases/tag/V0.54