Amazon has added multi-factor authentication to help customers better secure their accounts from hackers. With this new feature enabled, thieves would have to know your username, password, and have access to your mobile device or impersonate you to your mobile provider in order to hijack your Amazon account. The security feature allows users to receive a one-time code via text message, automated phone call, or third-party app — such as Google Authenticator.
Multi-factor authentication, also often called “two-step” or “two factor” authentication, is a great way to improve the security of your various online accounts (where available). With multi-factor logins enabled, even if thieves somehow steal your account username and password they’ll still need access to the second factor — your mobile phone — to successfully hijack your account.
Users can instruct Amazon to “remember” each device, which disables future prompts for the second factor on that device going forward. If Amazon later detects a login attempt from a device it does not recognize as associated with that account, it will prompt for the code from the second factor — text message, voice call, or app (whichever you choose).
I’m not sure I succeeded the first time I tried to set up multi-factor authentication on Amazon. I signed in, clicked “Your Account,” and then under “Account Settings” clicked “Change Account Settings.” That page allowed me to add a mobile number by typing in a code that was sent to my mobile. But when I hit “Done” and went back to Amazon’s home page, I decided to revisit the page only to discover that there are two more steps needed to finish setting up multi-factor authentication.
In step two, Amazon asks for a backup phone number where users can receive text messages or voice calls, in case you don’t have access to the mobile device added in Step 1. The backup method also can be Google’s Authenticator App.
Step three just explains how it all works and allows users to skip future one-time codes on personal devices.
If you shop at Amazon, take a few minutes today to turn on multi-factor authentication for your account. While you’re at it, check out twofactorauth.org to see if multi-factor is available for other any online services you may use. Also, consider whether you’re able to beef up the security of the backup email accounts you use for your recovery address.
One final note: Receiving one-time codes by a third-party mobile app that does not require a working connection to the Internet — such as Google Authenticator — allows for fewer chances that your one-time codes could be diverted by attackers: Thieves can still call in to your Internet service provider or mobile provider, pretend to be you, and have your calls and/or texts forwarded to another number that they control.
https://www.turnon2fa.com/ is a better site to look at.
Thank you!! Maybe some of our customers will read this… since they didn’t read our notifications when we changed to a new online system that has multifactor. Have had quite a few complaints about us fixing this ‘glitch’ in our system.
Great articles & always informational.. Thanks!
Exactly whose customers are you talking about? Are we supposed to just assume you work for Amazon?
How safe is it to use a Google Voice number to do the text verification vs a major carrier like sprint?
It’s probably a wash.
I happen to have accounts protected by each. I don’t really believe either is truly safe. But I’m confident they’re better protected than not having anything beyond a password.
The odds are that someone in a telco could be conned (social engineering) into giving an attacker the ability to adjust call/sms forwarding on your phone line.
Most likely, your Google account is protected by something that’s similarly flaky.
If your Google Voice account is only backed by Google Authenticator, and there’s no way for someone to do a password reset to some weakly protected email account, then it’s /possible/ that it’s stronger than the telco, but it probably isn’t…
Keep in mind: a chain is only as strong as its weakest link. Your Google Voice account probably adds additional links…
Thanks Brian! Pretty painless to enable.
There’s an alternative view on the integrity of Amazon’s solution at
http://www.mcelhearn.com/serious-security-problem-with-amazon-how-is-this-even-possible/
That guy’s issue is that his son was the last to be logged into an Amazon account in his Firefox browser, but he refuses to admit it.
Hope this is an exception and not the rule. Here is a link to an article that says 2FA on Amazon is poo poo. Or at least seems to indicate a few problems with it.
https://grahamcluley.com/2015/11/amazon-account-security-problem-uncovered/
This does sound more like user error then an amazon issue.
There is many cases of “I’m sure that…” in that story.
His son is “sure that” he have not used the fathers computer to check amazon.
The guy himself is “sure that” he have used Firefox to sign in since moving (although he don’t normally use Firefox).
The truth is that the writer don’t normally use Amazon.fr, while his son does. The writer also does not normally use Firefox. All we have to go on here is that this guy has a hunch that he “must have” used Firefox to login to Amazon.fr at “some time” since his son last used his computer, which could have been during a visit, or when he was still living in France.
I prefer not to use Google Authenticator and only have one phone number — my mobile number. Looks like no 2fa for me. I wish they would make the backup number optional.
Just curious: Why don’t you prefer using Google Authenticator?
Really just any authenticator app like Duo will work just as well. SMS cannot be trusted for anything.
Because Google is evil, and sells personal information to any and all comers as part of their business model.
Google is evil. Their ad company, DoubleClick, was one of 14 companies that invisibly, in the background, spied on every entry filled in on the healthcare.gov website. Before the Electronic Frontier Foundation and the Associate Press ran articles about that, they did this without any disclosure at all, it looked like you were just filling out a government form. Now, if you don’t want them to take your responses and put them together with the rest of the information they have on you, you have to know to “opt-out” using the “Privacy Manager”.
Because I’m sure these marketing companies would love to have people looking over their shoulders and writing down and selling what they write on their healthcare applications. Same for the people responsible for the healthcare.gov website.
Google’s Authenticator app is nothing more than an implementation of RFC6238 (Time-Based One-Time Password Algorithm). The purpose of the app is to store the seed securely, and then use it (and the date/time) as input into the OTP algorithm to generate a 6-digit code whenever you want to log in.
If you don’t like Google, or don’t trust their app to store the seed securely there are plenty of other implementations to choose from (see: https://en.wikipedia.org/wiki/Time-based_One-time_Password_Algorithm#Client_implementations for a very incomplete list). Taking the position “no 2fa for me” on the basis that you don’t like the company begind just one of the available OTP clients is, frankly, nuts.
Thanks for this post, I’ve enabled it on my account. I was looking forward to this feature and am glad to hear that Amazon has finally gotten around to implementing this.
Thank you so much, Brian! I often take action after reading your emails and greatly appreciate the lengths you go to to help all of us.
Thieves can still call in to your Internet service provider or mobile provider, pretend to be you
This actually happened to me a few months ago. For a couple of weeks my phone was forwarded to another phone. I didn’t notice it at first as I get so few phone calls and I was out of the country.
As a side note it also helps when you are on a plane and can’t receive SMS messages.
This is a great article, and many thanks to Brian!
I, myself, however, am a stick in the mud for giving out my phone number – PayPal threatened to use if for telemarketing a while back and only a huge outrage by the customers stopped that! Meanwhile I deleted it from the account, if that is what they think about my mobile privacy. I’d almost rather wait until the account gets hacked than take a chance of my phone being registered with just another agency I might not completely trust for privacy issues.
If they would send the 2nd factor to an email. I’d feel more comfortable for now, at least. I prefer that method for each place I use 2nd factor authentication. I don’t worry too much about email getting taken over, because my password manager sends me alerts on such chicanery!
I’m also concerned about Amazon tracking via my phone. I think I’ve given them a wrong number, but they still have every credit and debit card listed that I’ve ever entered with them. All but one have since expired and I am loathe to give them any more information about me. The suggests based on purchases I’ve made 8, 10 years go creep me out. And that’s only what I can see.
So get a Google Voice number you don’t care about and use that for verification.
Just to expand on Brian’s explanation. Google Authenticator works entirely on your phone. It has a secret number on your phone, and uses that to create a series of “random” codes, and the web site asks for these to verify that you are you. That’s why it does not require any internet or SMS or anything; it’s all on the phone.
Google Authenticator actually just implements an open standard for these codes called TOTP, and many apps implement it. Any of those apps should work with a site that supports TOTP.
I’m hopeful about this trend of having devices handle authentication, since passwords have so many problems.
Yep, all you need to do is verify you are you to Google, and trust that they’ll never get breached, share your personal information for their financial gain, and…
There are many companies in this world I’ll trust with my identity before I trust Google. I explicitly created an Google account just to use with my phone that I don’t use anywhere else.
The fun part of putting all your trust in one account with Google is that you trust Google with all that information, then trust that your Google account – and Google-centric device – won’t get compromised. Given the prevalence of Android malware/rootkits, that’s not exactly a minor worry.
You do realise that you’re responding to a comment specifying that this is not at all related to Google, but in fact an open standard (TOTP)? Parent mentioned the Google Authentivcator app as an example implementation, which incidentally doesn’t authenticate or report to Google at all. ANY Time-based One Time Passcode app / device will work as an authenticator, such as Authy, YubiAuth (requires a Yubikey), or many others: https://en.wikipedia.org/wiki/Time-based_One-time_Password_Algorithm#Client_implementations
I got Authenticator to work from Amazon.ca, but SMS for backup/alternate authentication does not seem to work for me. I simply don’t get any SMS messages. I suspect it might be because I’m on Rogers. Has anyone else from Canada tried it?
did you try adding +1 in front of the area code?
Not in Canada, but in Alaska. I don’t get sms text messages either. Strange because I have no problems with almost every other vendor that has enabled 2 factor. I suspect that Amazon has not correctly provisioned the system to send text everywhere. They probably purchased a system and the system is limited in scope. BofA also has problems. Silly implementations.
Been having the same problem from the States. I enter my number with +1 before the number, but it never sends me the code. Now it’s telling me “Codes may take a minute to arrive. Please try later.” Really frustrating since I’ve been trying to set up 2FA
Just like Keith Takayesu, I’m on Rogers in Canada and I don’t receive the code by SMS to set this up.
On Amazon.ca I can’t even get verification of my mobile phone number, and the Advanced Security Settings page comes up blank. When Amazon customer support had me go through the process, I got a message stating I had exceeded the maximum number of attempts to verify the number – try again tomorrow. At least that security setting works.
Strangely, I was able to verify my mobile phone number a few months ago.
Red Rose: mine is the same.. blank.. for amazon.ca.
I’m always a fan of these additional security measures.
I’m in Canada, and I am having the same problem. I’ve tried both +1 US and +1 CA.
I had to visit amazon.com instead of amazon.co.uk before I got the option to set this up. After that, the UK site works and when you go to your account, you see the option to edit the “advanced” settings.
I attempted to set up Amazons 2 factor several days ago. It all went well with Amazon sending me the sms security code which I entered and sent back. Setting up the backup method was another story. Amazon only gives 2 backup methods, another phone or the authenticator app. Since I only have one phone and my phone doesn’t handle apps, I wasn’t able to complete the process. Amazon is shooting their 2 factor in the foot with the backup. I am using many other 2 factors, and they all require just my phone number to work.
Dear God let it be better than PayPal 2FA which prevents you from being able to pay for goods from a cell phone, in 2015.
No option for MFA in the Amazon UK account settings, so I went to Amazon.com and signed in. That took me to the Amazon Web Services console signup and after a quick glance at the AWS Customer Agreement (charges, fees, payments), I got cold feet and pulled out. All I want to do is enable 2FA, as I have done on other sites with a simple click in the Security Settings in My Account; I don’t want to have to sign up for Amazon Web Services or have to try and make sense of legalese in a stream of terms and conditions.
Thanks Brian, I’ll keep checking Amazon UK in the hope it will soon introduce 2FA, and perhaps it’ll be as simple as it was on the other sites where I enabled it.
#1: if you plan on using the app later, don’t add your phone number if you think you’ll want it removed later for lack of use. They don’t have an option on the site to remove it and customer support refuses to remove it for people.
#2: it’s SUPPOSED to NOT ask you anymore on that device. however, it asks you, as of currently, every time you get logged out and have to re-login, or have to verify your login for “sensitive” info pages, even when you DO tick the checkbox to NOT ask anymore – it’s an annoyance!
Phone number is one of the things that unlocks your marketing identity. Does Amazon explicitly state that it will only be used for authentication?
That’s why I don’t use Google’s app – don’t want them to know that much about me.
someone in krebs comments section told me what i already knew about amazon’s use of my phone for marketing purposes. i acknowledged/replied with this, bragging about my paranoia online: Hence why I didn’t wanna add it before I realized I could use the authenticator [note that this was a day or 2 prior to the article’s publication or anything online noting the new feature]. That and I don’t trust institutions like this or almost any to handle my data safely – yes, I am incredibly paranoid. When an assigned college project required we create a pinterest account, I connected through BP-served QuadVPN with 8 private https/socks5t proxies on both sides of it, inside a torified VM with an altered MacAddr, HWID, HDD Serial, and with a temporary email only for that, then a 99-char password and a fake name. The only thing I HAD to leave on was javascript due to the site’s design, but that was compensated by the VPN which supplemented the Tor+Jondo+etc on top. Even if something of javascript were to discern my IP, it’d not be the one behind the VPN, but the VPN’s itself, and the VPN can’t tell my IP if it were keeping logs, nor can each [private] proxy let off to the other servers the IPs before/after any of them, without comprehensive investigation in their respective jurisdictions. Not only that, but a different BP-served QuadVPN was turned on, protected against [opennic]dns leaks, just like inside the VM, but outside as well.
As for google’s authenticator, I don’t use it. I use Authy. It’s better than Google’s, has a backup, includes the QR scanner, and last, most importantly: isn’t created by Google.
Regardless ANY authenticator app is GENERALLY more secure than sms, because sms can not only be redirected as it’s been noted already, but it can also be intercepted, either by malicious actors or feds, etc, in transit.
They said they’d “send your [my] suggestion to the team that does site deveiopment.” That’s a fancy way of saying, not in h*ll’s chance.
I did just hook up a friend’s [with consent] phone to prepaid virtual phone #s and add that to amazon, but that worries me because once I eradicate the friend’s phone from the prepaid services and being a minimalist nowadays with accounts, once I eradicate the prepaid service account too, it opens that virtual phone # up to someone else acquiring it – something which severely causes detrimental effect to my amazon account’s security.
woops, I forgot I copied my fb message bragging about my post [which, yes was ridiculous, but totally honest].
Krebs, sorry for the duplicates – the server was giving annoying errors and I didn’t know when and if it went through all those times.
For those saying they don’t like Google Authenticator or don’t have a smart phone – you can use Authy at http://authy.com to handle multiple accounts, including Amazon. And they have a Google Chrome App – so you don’t need a smartphone! And did I mention that it is free?
I use it with a half dozen services for 2FA and it is nice. The accounts are synced in the cloud so all your computers/devices have the app.
It looks like Amazon hasn’t enabled this feature in Canada (which is frustrating)
Attached is a screenshot of what I see when I click on advanced security settings:
https://imgur.com/F8MOoSl
Related to “Amazon security” is the unusual feature that allows ASCII or UTF extended characters in passwords, at least the printable ones.
Even crappy words become resistant: The horrible “passw0rd” (a zero) is cracked in a dictionary attack and in a medium while by brute-force. Altering it to “passwôrd” increases the character space exponentially, making an attacker rely on 20 characters (instead of 3) for the O character.
It’s a significant increase in difficulty to brute-force, dictionary attack, or even over-the-shoulder spying. Of course it probably wouldn’t help against a keylogger, but at that point you’d have bigger problems.
I’ve been having problems setting up 2FA. I’ve been trying to set it up all yesterday, but when I enter my number with +1 before it, I never get any text with the code. Now it’s saying codes may take a minute to arrive, to please try later.
@Brian: can you add a tag for generic two-factor-auth?
It’d be handy to be able to link such a category…
November 24, 2015 — 13:39 GMT (05:39 PST)
http://www.zdnet.com/article/amazon-is-resetting-account-passwords-for-some-accounts/
After about a week of enabling 2FA, Amazon reportedly sent out emails to some of it’s customers that [Amazon] recently discovered [Amazon] passwords may have been improperly stored on devices or transmitted to Amazon in a way that could potentially [be exposed] to a third party.
It adds: “We have corrected the issue to prevent this exposure.”
Amazon has “no reason” to believe passwords were improperly disclosed to a third party but issued a temporary password out of an “abundance of caution.”
I’ve enabled Two-Step Verification on Amazon.com and Amazon.co.uk, but it only asks for my username and password. It never asked for the 2nd factor. Anyone else got this working?
Make sure “Trust Device” isn’t checked in the setup process, or remove trusted devices.
I tried the site on 3 computers, without any joy (none were trusted devices). I put a note on the Amazon community help site and someone confirmed it worked for them. I deleted my Amazon 2FA setup and started again and now it works… I use Google Authenticator with mobile as a backup.
Because, I, like you, assumed you 0nly need to enter a phone number and then plug in the code. NOPE. you need to then enter a SECOND PHONE NUMBER (wtf!?) or download their stupid ass app.
So this whole thing seems more about pushing you to give them more data and download their crappy app – not about security.
If you try this from a mobile phone, you need to go to the full site, rather than the mobile site.
Their 2-step auth. is actually not 2 steps. They require you to put in a second phone number (?!) or use their stupid ass app.
F@#K Amazon on this one.
Amazon.com on Authy app = non-op, “invalid code” on three different devices!
Has the Google Authenticator been verified as a trustworthy application? Is there any other TOTP app that has been verified?