Enable a FIDO security key for the Amazon Web Services account root user (console)
You can configure and enable a virtual MFA device for your root user from the Amazon Web Services Management Console only, not from the Amazon CLI or Amazon API.
If your FIDO security key is lost, stolen, or not working, you can still sign in using
another MFA device registered to the same Amazon Web Services account root user. If you only have a single MFA device
registered, you can sign in using alternate factors of identification. To learn about signing
in using alternative factors of authentication, see What if an MFA device is lost or stops
working?. To disable this feature, contact Amazon Web Services Support
To enable the FIDO key for your root user (console)
-
Sign in to the IAM console
as the account owner by choosing Root user and entering your Amazon Web Services account email address. On the next page, enter your password. Note
As the root user, you can't sign in to the Sign in as IAM user page. If you see the Sign in as IAM user page, choose Sign in using root user email near the bottom of the page. For help signing in as the root user, see Signing in to the Amazon Web Services Management Console as the root user in the Amazon Sign-In User Guide.
-
On the right side of the navigation bar, choose your account name, and then choose Security credentials. If necessary, choose Continue to Security credentials.
-
Expand the Multi-factor authentication (MFA) section.
-
Choose Assign MFA device.
-
In the wizard, type a Device name, choose Security Key, and then choose Next.
-
Insert the FIDO security key into your computer's USB port.
-
Tap the FIDO security key.
The FIDO security key is ready for use with Amazon. The next time you use your root user credentials to sign in, you must tap your FIDO security key to complete the sign-in process.