IAM 1.5 Features Reference

On September 18, 2023 on eu-west-2, a new version of IAM has been released. This page summarizes all the new features and updates.

New Multi-Factor Authentication for Cockpit v2

Two new multi-factor authentication (MFA) methods have been added to Cockpit v2:

A security key, or device biometrics, using WebAuthn. For more information, see Setting Up MFA for Your Account Using WebAuthn or an OTP > WebAuthn.
A one-time password (OTP) using an authentication application. For more information, see Setting Up MFA for Your Account Using WebAuthn or an OTP > One-Time Password.

WebAuthn is a web standard using public key cryptography, that allows to authenticate on web applications through a security key (via USB, like a YubiKey, or built into your smartphone or tablet) or through the biometrics authentication on your computer or smartphone.
An OTP is a short sequence of autogenerated numbers delivered in an application. It is only available for one short period of time, thus making it more difficult to use maliciously.

For more information, see About Authentication.

Trusted Env and Trusted Session

The existing Trusted Env feature has been updated. This can impact your authentication on Cockpit v2.

When the RequireTrustedEnv parameter of the UpdateApiAccessPolicy method is activated, it is now required for all EIM users of the root account to log in to Cockpit v2 using multi-factor authentication (MFA). More specifically, it is required that they set up the WebAuthn authentication method. They can then authenticate using either the WebAuthn method, or the OTP method. For more information, see Setting Up MFA for Your Account Using WebAuthn or an OTP.

As a reminder, activating Trusted Env allows you to activate a trusted session. Trusted sessions provide an additional layer of security to a root account and all its users. For more information on trusted sessions, see About Your API Access Policy > Trusted Session.

To activate a trusted session, a root account needs to meet the following requirements:

All their access keys must have expiration dates.
All their API access rules must specify a CA.

As a result of the new MFA feature, the MFA method based on x509 certificates will be deprecated at the end of 2023. On that date, all the x509 certificates in your API access rules will be obsolete and deleted.

Password Reset

As a result of the new version of IAM, you can no longer reset your password via the SendResetPasswordEmail and ResetAccountPassword API methods.

You can now only reset your password via the reset password button on Cockpit v2. For more information, see Modifying Your Personal Information and Password.

EIM Users Authentication

It is now possible for Elastic Identity Management (EIM) users to create their own password that they can then use to log in to Cockpit v2. For more information, see Creating a Password as an EIM User.

EIM users do not have their own email addresses, so if an EIM user needs to reset their password, the reset password email will be sent to the email address of the root account.

Related Pages

Corresponding API Method

UpdateAccessKeyPolicy (OUTSCALE API)