Amazon Adds Multi-Factor Authentication: Why Now? - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Software // Information Management
Commentary
11/20/2015
10:05 AM
Larry Loeb
Larry Loeb
Commentary
50%
50%

Amazon Adds Multi-Factor Authentication: Why Now?

Amazon has quietly added support for multi-factor authentication for customers using its ecommerce site in the US. Why would the company do this now?

Insider Threats: 10 Ways To Protect Your Data
Insider Threats: 10 Ways To Protect Your Data
(Click image for larger view and slideshow.)

With little fanfare and about as far under the radar as you can go, Amazon added multi-factor authentication (MFA) to its e-commerce website.

The news broke this week, and it came as a bit of an early Black Friday surprise for many. Richard Lawler, a senior editor at Engadget, ferreted out the information and received confirmation from an Amazon security engineer that it has been in beta testing and rolled out quietly about two weeks ago. (Editor's note: This article was updated on Nov. 20 to reflect that the engineer originally quoted by Engadget cited by InformationWeek was not an authorized spokesperson for the company.)

The MFA seems to be for the US only at this point. Responses on Engadget and Twitter indicate that MFA wasn't showing up in Germany or Canada.

[Read how the Paris attacks have renewed the encryption debate in the US.]

If you're in the US, here's how to create the MFA on your Amazon account: Open your account menu on a merchandise page then click the Change Account Settings on the resulting page. The next page lists your specific account settings. By then clicking on Advanced Security Setting, the MFA process will begin on the page that is opened.

(Image: Larry Loeb)

(Image: Larry Loeb)

Outside of a general concern about security (What company large or small is not concerned about security these days?), it's not clear why Amazon decided now was the time to start offering MFA options for customers. One reason could be the impending holiday shopping season. The never-ending onslaught of breaches and data theft is probably another.

The website Twofactorauth.org shows that the MFA trend is being picked up by more and more companies and technology services, so Amazon is not alone in going down this road.

If Amazon had something more specific in mind, it's not saying. The company did not respond to questions on Thursday.

However, Amazon is currently offering MFA in another part of the company, and that could be the reason for bringing it to its main commerce site. Amazon has used multi-factor authentication in its Amazon Web Services cloud computing platform since 2009. It added virtual devices to the MFA mix in 2013.

MFA typically requires something you are (your user name), something you know (your password), and something you have (a separate device from the one you're using to access the site or app). For example, with MFA enabled on AWS, a user signs in to an AWS website and is then prompted for a user name and password (something the person is, and something he or she knows), as well as for an authentication code from an AWS-supported MFA device (something the individual has).

Various types of devices can be used for the AWS MFA service. It can be a hardware key fob or a hardware card device. It can also be a smartphone using either a TOTP-compliant MFA application like Google's Authenticator, or a text message sent to the phone.

While Amazon said that the text-message MFA option for its commerce site is currently "in preview," immediate sign-up for it is available. This kind of MFA may not be the most secure, since it introduces the wireless carrier as a possible point of failure.

**New deadline of Dec. 18, 2015** Be a part of the prestigious InformationWeek Elite 100! Time is running out to submit your company's application by Dec. 18, 2015. Go to our 2016 registration page: InformationWeek's Elite 100 list for 2016.

Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek. He has written a book on the Secure Electronic Transaction Internet ... View Full Bio
We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
larryloeb
50%
50%
larryloeb,
User Rank: Author
11/23/2015 | 4:59:33 AM
Re: The environment is changing
Well, it really has to be done correctly, or the customer gets locked out.

The trick seems to be the second factor( what they have). And Google Authenticator may end up being a big player in that space.
Gary_EL
50%
50%
Gary_EL,
User Rank: Ninja
11/21/2015 | 4:19:23 PM
Re: The environment is changing
It really is the best way. Both merchants and customers need this type of protection.
larryloeb
50%
50%
larryloeb,
User Rank: Author
11/20/2015 | 7:05:45 PM
Re: The environment is changing
Yeah, MFA is a really good security feature.

LIke anything else, it needs to be done correctly to work.
impactnow
50%
50%
impactnow,
User Rank: Author
11/20/2015 | 5:38:47 PM
The environment is changing

I am glad to see Amazon offer this option. The current atmosphere of constant data theft is making companies think twice about the financial implications of a data breach. I like that consumers have the option and hope that we will see more people take advantage of this protect themselves.

Slideshows
What Digital Transformation Is (And Isn't)
Cynthia Harvey, Freelance Journalist, InformationWeek,  12/4/2019
Commentary
Watch Out for New Barriers to Faster Software Development
Lisa Morgan, Freelance Writer,  12/3/2019
Commentary
If DevOps Is So Awesome, Why Is Your Initiative Failing?
Guest Commentary, Guest Commentary,  12/2/2019
White Papers
Register for InformationWeek Newsletters
Video
Current Issue
Getting Started With Emerging Technologies
Looking to help your enterprise IT team ease the stress of putting new/emerging technologies such as AI, machine learning and IoT to work for their organizations? There are a few ways to get off on the right foot. In this report we share some expert advice on how to approach some of these seemingly daunting tech challenges.
Slideshows
Flash Poll