I've been thinking about how to ensure I can always access my root account, especially after seeing some posts about people losing access. Currently, I have a hardware token stored safely in a company safe, but my primary MFA is set up with an authenticator app across three phones—two belong to me while the third is with my co-owner. We share the password and change it every time we use it, which isn't often, maybe just a few times a year. I'm considering moving the hardware token offsite to a bank vault, along with the password, since that seems more secure than keeping everything in one place. Am I being overly cautious? What do others do regarding the number of devices registered while still maintaining security without making things too complicated?
3 Answers
You're not overthinking it! It really boils down to how comfortable you feel. Just be sure to check your root email and confirm that its domain is outside of your Account's Route 53 settings. I use a Gmail account with advanced protection solely for security matters, and it keeps me at ease.
We’re planning to stick with two phone authenticators for now, but I might add a hardware token to the mix too. By the way, which hardware token do you have?
In our organization, we use Cyberark, so I guess that counts as having two. We have both a physical key and a CyberArk MFA vault for added security.
That's a good point! I had never thought about the email domain before. Thanks for the heads up!