Lost MFA Key & Recovering AWS Root Account

, posted Jul 3, 2023

As a secuirty measure, I had multi-factor authentication (MFA) enabled on my AWS root user account & I was using a secondary user account as my regular handle with admin privileges. Last time when I had to reset my iPad for downgrading to stable OS version, I also lost my AWS TOTP signature key which I realized days later when I tried to sign in into my AWS account.

I was using Lastpass Authenticator to generate TOTP, which actually had my AWS signature key saved into it. I had no clue the Authenticator saves the authentication key locally. They sell cloud as a feature of paid tier. I was locked out of my AWS root account, well almost.

Actually there is an option to recover root account in case a user looses his MFA device but when I tried I was out of luck. The option to get verification email was broken. It has been more than a week now & I re-attempted a while back & the option was fixed.

Recovery

On Sign in page, I filled my email address & password.
Next, I was asked for MFA code and there was an option reading ‘troubleshoot MFA’
I clicked that & I was again presented with two options a) re-sync MFA device b) sign-in using alternative factors
I went for second option & It prompted for email verification & confirm code over voice call, but to my amazement the last un-redracted digits of the cell number shown were wrong.
After chceking the AWS docs I found a way to update my cell no.
After logging into my secondary AWS user account which is equipped with admin privileges, I was able to update my cell no.
Repeating the actions again upto step 4 & after verifying the code over automated voice call I was let in.
The first thing I did is I removed the MFA device, which I was also suggested about by AWS prompt.

That got me some real peace of mind after a while even though secondary user account was equipped with admin rights. But who knows when the access to root account could’ve been real important, like updating billing details. Dangit xD.

I am enabling the MFA back but this time I will either look into a cloud based Authenticator or I will make the backup of TOTP key with AES encryption over iCloud.

So that is all about this post. Hope you got some lesson from my mistake.

Reply via mail