Amazon has finally added multi-factor authentication (MFA) to WorkMail, its enterprise email service launched in 2016 as a competitor to Microsoft Exchange. Although MFA is now available, administrators must manually enable it and link each WorkMail account to AWS’s IAM Identity Center.
The delayed rollout of MFA for WorkMail—a critical security feature—has raised eyebrows, especially given Amazon’s role as a global cloud leader. Over the years, WorkMail users have frequently questioned the absence of MFA on AWS’s customer forum.
One user noted, “Two-factor authentication is essential, especially for email accounts.” AWS acknowledged these requests, stating that MFA had been a “feature request” under development for years.
In the past, WorkMail offered limited identity verification options but lacked direct MFA support. AWS integrated SAML 2.0 with its WorkSpaces platform in 2022, allowing some identity management on WorkMail. However, as one Reddit user pointed out, “SAML isn’t MFA.” The user remarked, “Google and Microsoft’s secure email options are hard to beat, even if they’re pricier.”
AWS clarified that customers could technically configure MFA via AWS Directory Service earlier. However, this setup was complex and only worked with AWS-managed Microsoft Active Directories. AWS emphasized that WorkMail follows AWS security standards, including TLS 1.2 minimum support and expanded audit logging.
WorkMail, launched in 2016 to attract Microsoft Exchange users, has supported third-party apps like Outlook and Apple Mail from the start. Still, Microsoft dominates cloud-based enterprise email. Recently, Amazon signed a $1 billion deal with Microsoft to bring 365 apps, including Outlook, to Amazon’s corporate systems.
Eight years to add MFA? It raises questions about WorkMail’s priorities, or perhaps the lack thereof. For enterprise clients needing strong security, WorkMail’s slow pace may suggest looking at more secure options in the market.