Enable a FIDO security key for the Amazon Web Services account root user (console) - Amazon Identity and Access Management
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Enable a FIDO security key for the Amazon Web Services account root user (console)

You can configure and enable a virtual MFA device for your root user from the Amazon Web Services Management Console only, not from the Amazon CLI or Amazon API.

If your FIDO security key is lost, stolen, or not working, you can still sign in using another MFA device registered to the same Amazon Web Services account root user. If you only have a single MFA device registered, you can sign in using alternate factors of identification. To learn about signing in using alternative factors of authentication, see What if an MFA device is lost or stops working?. To disable this feature, contact Amazon Web Services Support.


You should not choose any of the available options on the Google Chrome pop-up that asks to Verify your identity with amazon.com. You only need to tap on the security key.

To enable the FIDO key for your root user (console)
  1. Sign in to the IAM console as the account owner by choosing Root user and entering your Amazon Web Services account email address. On the next page, enter your password.


    As the root user, you can't sign in to the Sign in as IAM user page. If you see the Sign in as IAM user page, choose Sign in using root user email near the bottom of the page. For help signing in as the root user, see Signing in to the Amazon Web Services Management Console as the root user in the Amazon Sign-In User Guide.

  2. On the right side of the navigation bar, choose your account name, and then choose Security credentials. If necessary, choose Continue to Security credentials.

    Security credentials in the navigation menu
  3. Expand the Multi-factor authentication (MFA) section.

  4. Choose Assign MFA device.

  5. In the wizard, type a Device name, choose Security Key, and then choose Next.

  6. Insert the FIDO security key into your computer's USB port.

    FIDO security key inserted into a USB port
  7. Tap the FIDO security key.

The FIDO security key is ready for use with Amazon. The next time you use your root user credentials to sign in, you must tap your FIDO security key to complete the sign-in process.

For help troubleshooting issues with your FIDO security key, see Troubleshooting FIDO security keys.