Amazon adds MFA to its enterprise email service ... eight years after launch

No rush, guys

by · The Register

Amazon's cloud-hosted email service for enterprises now offers multifactor authentication, which is great, except that the service launched nearly a decade ago. 

Amazon announced yesterday that MFA is now available for WorkMail, its challenge to Microsoft Exchange, and that administrators who manage instances of it can now connect the mail and calendar service to AWS' identity and access management service - Identity Center. 

In other words, MFA won't be automatically enabled for Amazon's enterprise email service, so administrators running WorkMail will still need to configure it, and add each WorkMail user to the IAM Identity Center, manually based on AWS' documentation

The fact that a security service as simple as MFA was missing from something that so desperately needs it - an enterprise email platform run by one of the biggest (if not the biggest) cloud services providers in the world - is shocking, frankly. WorkMail users appear to know that too, as suggested by multiple questions asked on re:Post, AWS' customer Q&A site, in recent years.

"Two-factor authentication is an absolute must, especially for email accounts," one user commented on a three-year-old post. AWS responses on multiple posts have indicated MFA for WorkMail "is treated as a feature request" that's been in development for at least as long as that post. 

Of course, it's not like there wasn't any sort of identity verification available for WorkMail - AWS added support for SAML 2.0 to WorkSpaces, its virtual desktop environment, in late 2022, so larger enterprises making use of that service could go through the leg work to add some form of identity management to WorkMail. 

But as one Reddit user pointed out, SAML still isn't MFA. "I still don't like it. It's really, really hard to beat the slick offerings by both Google and MS [Microsoft], even if they are a cup of coffee a month more per user," Redditor Zenin said about WorkMail's lack of MFA. 

AWS told The Register that, technically speaking, customers could have added MFA to WorkMail via another method prior to yesterday's announcement, but that wasn't a simple process, either.

"It was previously possible to configure MFA via AWS Directory Service, but setup was complex for customers and it only supported AWS-managed Microsoft ADs," an AWS spokesperson told us in an email statement. "WorkMail continues to adhere to general security updates consistent with AWS standards, such as moving TLS minimum versions to 1.2, expanding audit logging support, and providing guidance to customers [on] how to implement overarching protections against a wide range of potential compromises." 

Eight years? Really?!

Amazon launched WorkMail in 2016 after a year of early access, ostensibly to steal customers from Microsoft who were still using Exchange mail, in many cases despite migrations to AWS for other cloud services. From its inception, WorkMail accounts could be added to native email applications like Outlook, Apple Mail, or iOS/Android mail apps, and a web portal exists as well. 

WorkMail hasn't garnered much attention over the years, with Microsoft dominating the market share for cloud-hosted email and calendar services in recent years. Last year, Microsoft changed its policies to allow Office products to run in AWS virtual desktops delivered via WorkSpaces, likely delivering a further blow to the market for WorkMail. 

Amazon's own record on WorkMail hasn't exactly been a vote of confidence, either. In October 2023, the cloud colossus signed a $1 billion deal with Redmond to bring Microsoft 365 productivity apps (like, ahem, Outlook) to its systems for corporate and frontline workers. It's hardly a great look when your employees would rather use a competitor's product than one developed in-house. 

Maybe that's why it took eight years to get MFA formally added to WorkMail? Regardless, with that level of priority (i.e., a lack of one) on developing essential end-user security features, enterprise customers might want to look elsewhere. ®

Shifting to two-factor auth is hard to do. GitHub recommends the long gameSlow and steady wins this race with usersIain Thomson, 10 Aug 2023AWS Cloud Development Kit flaw exposed accounts to full takeoverRemember Bucket Monopoly? Yeah, it gets worseJessica Lyons, 24 Oct 2024Multi-factor auth fatigue is real – and it's why you may be in the headlines nextOverwhelmed by waves of push notifications, worn-down users inadvertently let the bad guys inJeff Burt, 03 Nov 2022Microsoft gives Windows admins a break and MFA a hard pushUpdates now optional, but Azure security is notRichard Speed, 23 May 2024