1 00:00:06,870 --> 00:00:08,983 - OK, so now let's run through another Demo, 2 00:00:08,983 --> 00:00:12,066 Managing an MFA Device for our users. 3 00:00:15,964 --> 00:00:18,240 So again, I'm logged into the console. 4 00:00:18,240 --> 00:00:21,314 I'm here at the Identity and Access Management Dashboard, 5 00:00:21,314 --> 00:00:24,953 and what I want to do in this example is to add 6 00:00:24,953 --> 00:00:27,837 an MFA device, Multifactor Authentication, 7 00:00:27,837 --> 00:00:30,044 for a particular user. 8 00:00:30,044 --> 00:00:32,299 In this case we're going to use the Jane Doe user 9 00:00:32,299 --> 00:00:33,904 that we've created. 10 00:00:33,904 --> 00:00:37,051 So I'm going to click through to that user's details. 11 00:00:37,051 --> 00:00:38,836 I'm gonna scroll down, make sure that I'm on the 12 00:00:38,836 --> 00:00:40,851 Security Credentials tab. 13 00:00:40,851 --> 00:00:43,291 I'm going to scroll down. 14 00:00:43,291 --> 00:00:46,806 And you can see that Jane Doe does not yet have 15 00:00:46,806 --> 00:00:50,630 a Multifactor Authentication device listed. 16 00:00:50,630 --> 00:00:53,397 So you can see here that we have two options. 17 00:00:53,397 --> 00:00:56,240 We can use a virtual MFA device that's for an 18 00:00:56,240 --> 00:00:58,861 application on a smartphone, or we can use 19 00:00:58,861 --> 00:01:00,709 a hardware MFA device. 20 00:01:00,709 --> 00:01:03,698 Now, in order to use the hardware MFA device, and again 21 00:01:03,698 --> 00:01:08,288 the hardware option is recommended for your root account, 22 00:01:08,288 --> 00:01:11,114 and you would have to order that hardware MFA device 23 00:01:11,114 --> 00:01:12,864 directly from Amazon. 24 00:01:13,835 --> 00:01:17,677 In this example we're going to use a virtual MFA device 25 00:01:17,677 --> 00:01:20,703 that would be there are a number of different applications 26 00:01:20,703 --> 00:01:24,117 available for smartphones such as Authy or 27 00:01:24,117 --> 00:01:28,077 Google Authenticator, just to name a couple. 28 00:01:28,077 --> 00:01:31,244 So, I'm going to click that, hit Next. 29 00:01:32,590 --> 00:01:36,423 Yes, I understand that it is for a smartphone. 30 00:01:37,793 --> 00:01:39,254 I'm gonna click Next. 31 00:01:39,254 --> 00:01:41,421 And you can see from here, 32 00:01:42,504 --> 00:01:46,467 it gives us this particular QR code that we would use 33 00:01:46,467 --> 00:01:49,941 the application on our phone to scan this, 34 00:01:49,941 --> 00:01:53,183 and then that application will automatically configure 35 00:01:53,183 --> 00:01:55,174 that MFA code. 36 00:01:55,174 --> 00:01:58,637 I could, alternately, for some other applications that 37 00:01:58,637 --> 00:02:01,480 don't have the ability to scan that QR code, 38 00:02:01,480 --> 00:02:05,107 I could show the Secret Key, and then just copy and paste 39 00:02:05,107 --> 00:02:08,501 that and put it into the application. 40 00:02:08,501 --> 00:02:12,593 And then of course, in order to be able to use this device, 41 00:02:12,593 --> 00:02:15,693 what we would do is we would implement the 42 00:02:15,693 --> 00:02:18,276 authentication code twice, 43 00:02:18,276 --> 00:02:20,025 and from there once we have those codes, 44 00:02:20,025 --> 00:02:24,155 we could then activate that virtual MFA. 45 00:02:24,155 --> 00:02:27,565 OK, so from here I'm going to use the application 46 00:02:27,565 --> 00:02:31,648 on my smartphone to scan this particular QR code. 47 00:02:33,585 --> 00:02:36,085 And then once I've got that done, 48 00:02:36,085 --> 00:02:37,585 I want to take the 49 00:02:41,568 --> 00:02:43,485 codes from that device. 50 00:02:49,187 --> 00:02:53,038 I'm going to add the first code here. 51 00:02:53,038 --> 00:02:53,900 And then wait. 52 00:02:53,900 --> 00:02:56,743 It's gonna take a few seconds up to 30 seconds. 53 00:02:56,743 --> 00:02:59,743 Every 30 seconds the code rotates to another one. 54 00:02:59,743 --> 00:03:04,152 So in order to activate this MFA device, we need to 55 00:03:04,152 --> 00:03:07,470 put in two consecutive codes so that it ensures that we 56 00:03:07,470 --> 00:03:10,256 actually have it configured correctly. 57 00:03:10,256 --> 00:03:15,132 So the next code that comes up would be this one here. 58 00:03:15,132 --> 00:03:19,480 Two codes, and it ensures that both of them were correct, 59 00:03:19,480 --> 00:03:23,114 and now I have the Multifactor Authentication 60 00:03:23,114 --> 00:03:24,153 configured correctly. 61 00:03:24,153 --> 00:03:27,497 So now, and of course I would have done that on 62 00:03:27,497 --> 00:03:30,443 Jane's phone, in some organizations sometimes, 63 00:03:30,443 --> 00:03:33,978 if it's a small team, I might just have Jane come over 64 00:03:33,978 --> 00:03:36,973 to my desk and have her use her phone to scan that 65 00:03:36,973 --> 00:03:39,249 QR code and set up the MFA. 66 00:03:39,249 --> 00:03:42,294 In larger organizations, that's perhaps not feasible 67 00:03:42,294 --> 00:03:45,009 especially if you are dealing with people that are remote, 68 00:03:45,009 --> 00:03:49,013 and so in those situations you want to give those users 69 00:03:49,013 --> 00:03:53,146 permission to manage their own MFA device. 70 00:03:53,146 --> 00:03:57,146 Now it's important to, in some cases, deactivate 71 00:03:58,400 --> 00:04:00,092 an MFA device. 72 00:04:00,092 --> 00:04:02,077 Let's say that Jane lost her phone. 73 00:04:02,077 --> 00:04:05,854 That's a really good time to come in and deactivate that 74 00:04:05,854 --> 00:04:09,452 so that whoever picks up her phone can't go and start 75 00:04:09,452 --> 00:04:11,382 using her MFA device. 76 00:04:11,382 --> 00:04:15,791 So in that case, we want to be sure to click that 77 00:04:15,791 --> 00:04:16,735 and deactivate. 78 00:04:16,735 --> 00:04:21,550 It's pretty rare for virtual MFA devices to have to be 79 00:04:21,550 --> 00:04:24,689 resynchronized, but for physical key fobs sometimes 80 00:04:24,689 --> 00:04:26,040 you have to do that. 81 00:04:26,040 --> 00:04:29,627 But in this case, considering that Jane may have 82 00:04:29,627 --> 00:04:32,498 lost her phone, I want to deactivate that. 83 00:04:32,498 --> 00:04:35,824 I'm gonna choose Deactivate, click Next, 84 00:04:35,824 --> 00:04:39,094 and now the MFA device is gone. 85 00:04:39,094 --> 00:04:42,721 So that's how we manage an MFA device for a user 86 00:04:42,721 --> 00:04:46,888 within Amazon Web Services Identity and Access Management.