Support for U2F keys

[BastienM]

Hi,

AWS recently announced that Yubikeys can now be used as MFA solution, sadly aws-mfa does not support it yet. Is someone already working on that ?

[lhriley]

Really this topic should target generic FIDO compliant U2F devices, not just Yubikey brand devices. I just got my Google Titan keys and was disheartened to realize that aws-mfa doesn't try to use it. I guess I have to go back to using Authy =\

[broamski]

Hi There! I anticipate this would not be a trivial change, especially since it looks like the command-line implementation will require some additional software. I'm definitely open to accepting PRs for anyone who would like to work on this!

[BastienM]

@lhriley : I didn't saw the update on their blog post. I updated the title to include all U2F keys.

@broamski : I will try drafting solutions in my spare time and put together a PR :)

[hallum]

fyi, Looks like MFA using U2F is not supported yet via the CLI or API https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_u2f_supported_configurations.html

[BastienM]

Indeed. But it won't do any harm to prepare a PR ahead of time.

[RAYs3T]

Is there anything new to this?

[BastienM]

AWS still does not support 2FA keys for the cli sadly.

AWS currently supports using U2F security keys only in the AWS Management Console. Using U2F security keys for MFA is not currently supported in the AWS CLI and AWS API, or for access to MFA-protected API operations.

[mrg2k8]

There's a workaround posted by AWS here and another workaround on Github here. Both use ykman to generate OATH-TOTP keys (like the ones from Google Authenticator), as AWSCLI still doesn't work with U2F MFA.