Available MFA types for a root user
Amazon supports the following MFA types for your root user: passkeys and security keys, virtual authenticator applications, and hardware TOTP tokens.
Passkeys and security keys
Amazon Identity and Access Management supports passkeys and security keys for MFA. Based on FIDO standards, passkeys use public key cryptography to provide strong, phishing-resistant authentication that is more secure than passwords. Amazon supports two types of passkeys: device-bound passkeys (security keys) and synced passkeys.
Security keys: These are physical devices, like a YubiKey, used as a second factor for authentication. A single security key can support multiple root user accounts and IAM users.
Synced passkeys: These use credential managers from providers such as Google, Apple, Microsoft accounts, and third-party services like 1Password, Dashlane, and Bitwarden as a second factor.
You can use built-in biometric authenticators, like Touch ID on Apple MacBooks, to unlock your credential manager and sign in to Amazon. Passkeys are created with your chosen provider using your fingerprint, face, or device PIN. You can sync passkeys across your devices to facilitate sign-ins with Amazon, enhancing usability and recoverability.
IAM does not support local passkey registration for Windows Hello. To create and use
passkeys, Windows users should use cross-device authentication
Virtual authenticator applications
A virtual authenticator application runs on a phone or other device and emulates a physical device.
Virtual authenticator apps implement the time-based one-time password (TOTP) algorithm
We do recommend that you use a virtual MFA device while waiting for hardware purchase approval or
while you wait for your hardware to arrive. For a list of a few supported apps that you can use as
virtual MFA devices, see Multi-Factor Authentication (MFA)
Hardware TOTP tokens
A hardware device generates a six-digit numeric code based on the time-based one-time password (TOTP)
algorithm
If you want to use a physical MFA device, we recommend that you use FIDO security keys as an alternative to hardware TOTP devices. FIDO security keys offer the benefits of no battery requirements, phishing resistance, and they support multiple root and IAM users on a single device for enhanced security.