Amazon Multi-factor authentication in IAM - Amazon Identity and Access Management
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Amazon Multi-factor authentication in IAM

For increased security, we recommend that you configure multi-factor authentication (MFA) to help protect your Amazon resources. You can enable MFA for the Amazon Web Services account root user and IAM users. When you enable MFA for the root user, it affects only the root user credentials. IAM users in the account are distinct identities with their own credentials, and each identity has its own MFA configuration.

Your Amazon Web Services account root user and IAM users can register up to eight MFA devices of any type. Registering multiple MFA devices can provide flexibility and help you reduce the risk of access interruption if a device is lost or broken. You only need one MFA device to sign in to the Amazon Web Services Management Console or create a session through the Amazon CLI.

Note

We recommend that you require your human users to use temporary credentials when accessing Amazon. Have you considered using Amazon IAM Identity Center? You can use IAM Identity Center to centrally manage access to multiple Amazon Web Services accounts and provide users with MFA-protected, single sign-on access to all their assigned accounts from one place. With IAM Identity Center, you can create and manage user identities in IAM Identity Center or easily connect to your existing SAML 2.0 compatible identity provider. For more information, see What is IAM Identity Center? in the Amazon IAM Identity Center User Guide.

MFA adds extra security that requires users to provide unique authentication from an Amazon supported MFA mechanism in addition to their sign-in credentials when they access Amazon websites or services.

MFA types

Amazon supports the following MFA types:

Passkeys and security keys

Amazon Identity and Access Management supports passkeys and security keys for MFA. Based on FIDO standards, passkeys use public key cryptography to provide strong, phishing-resistant authentication that is more secure than passwords. Amazon supports two types of passkeys: device-bound passkeys (security keys) and synced passkeys.

  • Security keys: These are physical devices, like a YubiKey, used as a second factor for authentication. A single security key can support multiple root user accounts and IAM users.

  • Synced passkeys: These use credential managers from providers such as Google, Apple, Microsoft accounts, and third-party services like 1Password, Dashlane, and Bitwarden as a second factor.

You can use built-in biometric authenticators, like Touch ID on Apple MacBooks, to unlock your credential manager and sign in to Amazon. Passkeys are created with your chosen provider using your fingerprint, face, or device PIN. You can sync passkeys across your devices to facilitate sign-ins with Amazon, enhancing usability and recoverability.

IAM does not support local passkey registration for Windows Hello. To create and use passkeys, Windows users should use cross-device authentication (CDA). You can use a CDA passkey from one device, like a mobile device or hardware security key, to sign in on another device like a laptop.

The FIDO Alliance maintains a list of all FIDO Certified products that are compatible with FIDO specifications.

For more information about enabling passkeys and security keys, see Enable a passkey or security key for the root user (console).

Virtual authenticator applications

A virtual authenticator application runs on a phone or other device and emulates a physical device. Virtual authenticator apps implement the time-based one-time password (TOTP) algorithm and support multiple tokens on a single device. The user must type a valid code from the device when prompted during sign-in. Each token assigned to a user must be unique. A user can't type a code from another user's token to authenticate.

We do recommend that you use a virtual MFA device while waiting for hardware purchase approval or while you wait for your hardware to arrive. For a list of a few supported apps that you can use as virtual MFA devices, see Multi-Factor Authentication (MFA).

For instructions on setting up a virtual MFA device for an IAM user, see Assign a virtual MFA device in the Amazon Web Services Management Console.

Hardware TOTP tokens

A hardware device generates a six-digit numeric code based on the time-based one-time password (TOTP) algorithm. The user must type a valid code from the device on a second webpage during sign-in.

These tokens are used exclusively with Amazon Web Services accounts. You can only use tokens that have their unique token seeds shared securely with Amazon. Token seeds are secret keys generated at the time of token production. Tokens purchased from other sources will not function with IAM. To ensure compatibility, you must purchase your hardware MFA device from one of the following links: OTP token or OTP display card.

  • Each MFA device assigned to a user must be unique. A user cannot type a code from another user's device to be authenticated. For information on supported hardware MFA devices, see Multi-Factor Authentication (MFA).

  • If you want to use a physical MFA device, we recommend that you use security keys as an alternative to hardware TOTP devices. Security keys have no battery requirements, are phishing resistant, and support multiple users on a single device.

You can enable a passkey or security key from the Amazon Web Services Management Console only, not from the Amazon CLI or Amazon API. Before you can enable a security key, you must have physical access to the device.

For instructions on setting up a hardware TOTP token for an IAM user, see Assign a hardware TOTP token in the Amazon Web Services Management Console.

Note

SMS text message-based MFA – Amazon ended support for enabling SMS multi-factor authentication (MFA). We recommend that customers who have IAM users that use SMS text message-based MFA switch to one of the following alternative methods: Passkey or security key, virtual (software-based) MFA device, or hardware MFA device. You can identify the users in your account with an assigned SMS MFA device. In the IAM console, choose Users from the navigation pane, and look for users with SMS in the MFA column of the table.

MFA recommendations

To help secure your Amazon identities, follow these recommendations for MFA authentication.

  • We recommend that you enable multiple MFA devices to the Amazon Web Services account root user and IAM users in your Amazon Web Services accounts. This allows you to raise the security bar in your Amazon Web Services accounts and simplify managing access to highly privileged users, such as the Amazon Web Services account root user.

  • You can register up to eight MFA devices of any combination of the currently supported MFA types with your Amazon Web Services account root user and IAM users. With multiple MFA devices, you only need one MFA device to sign in to the Amazon Web Services Management Console or create a session through the Amazon CLI as that user. An IAM user must authenticate with an existing MFA device to enable or disable an additional MFA device.

  • In the event of a lost, stolen, or inaccessible MFA device you can use one of the remaining MFA devices to access the Amazon Web Services account without performing the Amazon Web Services account recovery procedure. If an MFA device is lost or stolen, it should be disassociated from the IAM principal with which it is associated.

  • The use of multiple MFAs allows your employees in geographically dispersed locations or working remotely to use hardware-based MFA to access Amazon without having to coordinate the physical exchange of a single hardware device between employees.

  • The use of additional MFA devices for IAM principals allows you to use one or more MFAs for everyday usage, while also maintaining physical MFA devices in a secure physical location such as a vault or safe for backup and redundancy.

Notes
  • You cannot pass the MFA information for a FIDO security key to Amazon STS API operations to request temporary credentials.

  • You cannot use Amazon CLI commands or Amazon API operations to enable FIDO security keys.

  • You cannot use the same name for more than one root or IAM MFA device.

Additional resources

The following resources can help you learn more about IAM MFA.

  • For more information about using MFA to access Amazon, see MFA enabled sign-in.

  • You can leverage IAM Identity Center to enable secure MFA access to the Amazon access portal, IAM Identity Center integrated apps, and the Amazon CLI. For more information, see Enable MFA in IAM Identity Center.