Warning This document has not been updated for a while now. It may be out of date.

Last updated: 16 Feb 2024

Set up a YubiKey

Set up a YubiKey as an MFA device for AWS

1. Install the Yubico Authenticator app on your computer.
2. Sign into the gds-users AWS account.
3. Select your email address in the top-right corner of the page.
4. Choose Security credentials from the drop-down menu.
5. Select Manage, which is next to Assigned MFA device.
6. Specify your email address as the MFA device name.
7. Select Authenticator app, not Security Key.
8. Click to reveal the QR code.
9. Open the Yubico Authenticator app, choose Add Account from the hamburger menu at the top-right of the window and choose Scan QR code.
10. Make sure Require touch is enabled.
11. Enter two consecutive codes from Yubico Authenticator and press Save.

12. Configure gds-cli to use the YubiKey:

    gds config yubikey true
    

13. Go back to the Security credentials page and add the YubiKey again as a second MFA device, but choose Security Key this time.

You have now:

• added your YubiKey as a U2F/FIDO2 security key for logging into the AWS web console more securely and conveniently
• added your YubiKey as a legacy OATH MFA device for compatibility with gds-cli/aws-vault on the command line

⚠️ Now that you have an unphishable security key as an MFA device, you should never type or copy/paste the 6-digit OATH one-time codes. They’re only for gds-cli/aws-vault now, not for you.

Always use the Security Key option and not the legacy Authenticator app option when signing into the AWS web console.

More in the Security section

How to...

• Content Security Policy on GOV.UK
• Pentests
• Web Application Firewall (WAF) configuration