Y
Hacker News
new
|
ask
|
show
|
jobs
by
burntsushi
2565 days ago
AWS at least lets you sign in using alternative methods if you get locked out:
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credenti...
1 comments
stingraycharles
2565 days ago
Which in itself is a problem: it means the MFA device is not required, if only they have access to my email + phone.
link
burntsushi
2564 days ago
Sure, I know. Just pointing out that, at least for AWS, you do not need recovery codes or a second device for MFA. For me personally, phone+email is good enough for my threat model.
link
mschout
2564 days ago
Yes, AWS MFA is very poorly implemented.
link