QR Code and IAM Identity Center

You're most welcome zondi, we're always happy to assist.

AliH1P

Will do.

Thank you, Ali, for your time and help.

Hey zondi, thanks for your reply.

The QR code that is being generated in your screenshot is for a passkey rather than time-based 2FA and therefore will not work with 1Password or other two-factor authenticators.

I would recommend reaching out to AWS to get further clarification on MFA options and whether you can use an authenticator app.

Let me know if you have any questions or if there's anything else we can help with.

Ali

Hello, AliH1P

Seems I'm missing a critical piece of information.

But nothing at https://docs.aws.amazon.com/singlesignon/latest/userguide/how-to-register-device.html can shed a light on this.

I just noticed that this is not actually a 1Password issue.

I tried to use Google Authenticator, Microsoft Authenticator, and even Authy to scan the generated code.

And got this:

Is it possible to let me know what I may be missing from the mobile device screenshot?

Thanks for the help.

AliH1P

The screenshot was taken before the "the different device" option was selected.

As previously mentioned, I don't use passkeys and thus have no need for selecting that option.

The screenshot was taken during the process and before the selection was made.

Thank you.

Hey zondi, I'm sorry to hear that doesn't help.

To further clarify, in your screenshot I can see an attempt at scanning a Passkey QR code rather than a time-based one-time password QR code. This is not expected to work with 1Password at the moment but our team is working on bringing Passkeys to 1Password this year.

AliH1P

It might worth keeping in mind that the normal AWS account 2FA implemention is completely separate/ different from the new AWS ID Center which replaced SSO.

Hi AliH1P

Not really.

The screen shot was taken before the "the different device" option was selected.

Like I mentioned before, I have been using 1Password for a very long time and familiar (at least to a reasonable extent), what and what cannot be done with it.

What I intend to do later this evening is to use a mobile device for the scanning instead of the browser or desktop app options.

Thank you.

Hey zondi, thanks for the screenshots. I noticed that there is an attempt to add 2FA using a Passkey rather than an authenticator application.

I recreated a similar environment and can see that a user should be presented with the following options:

Selecting Authenticator app will present the user with a QR code that 1Password can recognize and add a one-time password for. I tested this using both the desktop application and extension and it works well.

On the other hand, selecting Security key and cancelling the initial prompt results in the request to create a passkey:

The subsequent QR code after selecting "different device" is not for a time-based one-time password and won't work with 1Password.

I'm not very familiar with the IAM Identity Center, but let me know if you have the option to add via authenticator app and whether that works with 1Password.

Ali

Hi AliH1P .

Since this happens whether I'm on macOS or Linux, I'm attaching a screenshot to show you the flow and result.

A user visits https://$orgName.awsapps.com/start which will redirect to something like https://us-west-2.signin.aws/platform/login?workflowStateHandle=58858585-033737373737-randomNumbers

Logs in and he | she | they is | are presented with this option:

Selects the "different device option" and is presented with this:

As you will see if you replicate this, the generated QR code does not have the option to copy and do this manually.

Moreover, the QR code design is different though I don't know much about QR and I'm also unable to find the type at https://en.wikipedia.org/wiki/QR_code.

I know this is not exactly what you want me to do.

But hope it throws more light on this.

Will see if I can find time later to send the log to you.

Thanks and have a wonderful evening.