9 thoughts on “Removing Two-Step Authentication in AWS (when your ‘smart’ phone resets!)

  1. Doesn’t this defeat the whole purpose of 2FA? If someone who has my phone can simply fill out a form and pretend to be me, they can have the account security reset?

    1. Kind of, but not really. They only disable MFA. So you’d still have to know the username and password to login. (They also email a temporary password to your email address, but I am guessing whoever has taken your phone also has access to your emails).

      This is why it is important to secure your phone, block/wipe/change account password etc. as soon as you realize it is lost.

  2. I second the suggestion of backup codes… I have just encountered this issue and I recently moved countries and haven’t come around to changing my phone number recorded for AWS. I now have to go through a painfully long process and shell out money to get my ID documentation notarized… Not good…

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s