Using multi-factor authentication (MFA) in Amazon - Amazon Identity and Access Management
What is MFA?
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Using multi-factor authentication (MFA) in Amazon

For increased security, we recommend that you configure multi-factor authentication (MFA) to help protect your Amazon resources. You can enable MFA for the Amazon Web Services account root user and IAM users. When you enable MFA for the root user, it affects only the root user credentials. IAM users in the account are distinct identities with their own credentials, and each identity has its own MFA configuration. You can register up to eight MFA devices of any combination of the currently supported MFA types with your Amazon Web Services account root user and IAM users. For more information about supported MFA types see What is MFA?. With multiple MFA devices, only one MFA device is needed to sign in to the Amazon Web Services Management Console or create a session through the Amazon CLI as that user.

Note

We recommend that you require your human users to use temporary credentials when accessing Amazon. Have you considered using Amazon IAM Identity Center? You can use IAM Identity Center to centrally manage access to multiple Amazon Web Services accounts and provide users with MFA-protected, single sign-on access to all their assigned accounts from one place. With IAM Identity Center, you can create and manage user identities in IAM Identity Center or easily connect to your existing SAML 2.0 compatible identity provider. For more information, see What is IAM Identity Center? in the Amazon IAM Identity Center User Guide.

What is MFA?

MFA adds extra security because it requires users to provide unique authentication from an Amazon supported MFA mechanism in addition to their regular sign-in credentials when they access Amazon websites or services. Amazon supports the following MFA types.

FIDO security

FIDO Certified hardware security keys are provided by third-party providers.

The FIDO Alliance maintains a list of all FIDO Certified products that are compatible with FIDO specifications. FIDO authentication standards are based on public key cryptography, which enables strong, phishing-resistant authentication that is more secure than passwords. FIDO security keys support multiple root accounts and IAM users using a single security key. For more information about enabling FIDO security keys, see Enabling a FIDO security key (console).

Virtual MFA devices

A virtual authenticator application that runs on a phone or other device and emulates a physical device.

Virtual authenticator apps implement the time-based one-time password (TOTP) algorithm and support multiple tokens on a single device. The user must type a valid code from the device on a second webpage during sign-in. Each virtual MFA device assigned to a user must be unique. A user can't type a code from another user's virtual MFA device to authenticate. Because they can run on unsecured mobile devices, virtual MFA might not provide the same level of security as FIDO security keys.

We do recommend that you use a virtual MFA device while waiting for hardware purchase approval or while you wait for your hardware to arrive. For a list of a few supported apps that you can use as virtual MFA devices, see Multi-Factor Authentication. For instructions on setting up a virtual MFA device with Amazon, see Enabling a virtual multi-factor authentication (MFA) device (console).

Hardware TOTP token

A hardware device that generates a six-digit numeric code based on the time-based one-time password (TOTP) algorithm.

The user must type a valid code from the device on a second webpage during sign-in. Each MFA device assigned to a user must be unique. A user cannot type a code from another user's device to be authenticated. For information on supported hardware MFA devices, see Multi-Factor Authentication. For instructions on setting up a hardware TOTP token with Amazon, see Enabling a hardware TOTP token (console).

We recommend that you use FIDO security keys as an alternative to hardware TOTP devices. FIDO security keys offer the benefits of no battery requirements, phishing resistance, and they support multiple IAM or root users on a single device for enhanced security.

Note

SMS text message-based MFA – Amazon ended support for enabling SMS multi-factor authentication (MFA). We recommend that customers who have IAM users that use SMS text message-based MFA switch to one of the following alternative methods: FIDO security key, virtual (software-based) MFA device, or hardware MFA device. You can identify the users in your account with an assigned SMS MFA device. To do so, go to the IAM console, choose Users from the navigation pane, and look for users with SMS in the MFA column of the table.

Topics