Set up a YubiKey
Set up a YubiKey as an MFA device for AWS
- Install the Yubico Authenticator app on your computer.
- Sign into the
- Select your email address in the top-right corner of the page.
- Choose Security credentials from the drop-down menu.
- Select Manage, which is next to Assigned MFA device.
- Specify your email address as the MFA device name.
- Select Authenticator app, not Security Key.
- Click to reveal the QR code.
- Open the Yubico Authenticator app, choose Add Account from the hamburger menu at the top-right of the window and choose Scan QR code.
- Make sure Require touch is enabled.
- Enter two consecutive codes from Yubico Authenticator and press Save.
Configure gds-cli to use the YubiKey:
gds config yubikey true
Go back to the Security credentials page and add the YubiKey again as a second MFA device, but choose Security Key this time.
You have now:
- added your YubiKey as a U2F/FIDO2 security key for logging into the AWS web console more securely and conveniently
- added your YubiKey as a legacy OATH MFA device for compatibility with gds-cli/aws-vault on the command line
⚠️ Now that you have an unphishable security key as an MFA device, you should never type or copy/paste the 6-digit OATH one-time codes. They’re only for gds-cli/aws-vault now, not for you.
Always use the Security Key option and not the legacy Authenticator app option when signing into the AWS web console.