Deactivating MFA devices - Amazon Identity and Access Management
Deactivating MFA devices (console)Deactivating MFA devices (Amazon CLI)Deactivating MFA devices (Amazon API)
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Deactivating MFA devices

If you are having trouble signing in with a multi-factor authentication (MFA) device as an IAM user, contact your administrator for help.

As an administrator, you can deactivate the device for another IAM user. This allows the user to sign in without using MFA. You might do this as a temporary solution while the MFA device is replaced, or if the device is temporarily unavailable. However, we recommend that you enable a new device for the user as soon as possible. To learn how to enable a new MFA device, see Enabling MFA devices for users in Amazon.

Note

If you use the API or Amazon CLI to delete a user from your Amazon Web Services account, you must deactivate or delete the user's MFA device. You make this change as part of the process of removing the user. For more information about deleting users, see Managing IAM users.

Deactivating MFA devices (console)

To deactivate an MFA device for another IAM user (console)

  1. Sign in to the Amazon Web Services Management Console and open the IAM console at https://console.amazonaws.cn/iam/.

  2. In the navigation pane, choose Users.

  3. To deactivate the MFA device for a user, choose the name of the user whose MFA you want to remove.

  4. Choose the Security credentials tab.

  5. Under ​Multi-factor authentication (MFA), choose the radio button next to the MFA device, choose Remove, and then choose Remove.

    The device is removed from Amazon. It cannot be used to sign in or authenticate requests until it is reactivated and associated with an Amazon user or Amazon Web Services account root user.

To deactivate the MFA device for your Amazon Web Services account root user (console)

  1. Sign in to the IAM console as the account owner by choosing Root user and entering your Amazon Web Services account email address. On the next page, enter your password.

    Note

    As the root user, you can't sign in to the Sign in as IAM user page. If you see the Sign in as IAM user page, choose Sign in using root user email near the bottom of the page. For help signing in as the root user, see Signing in to the Amazon Web Services Management Console as the root user in the Amazon Sign-In User Guide.

  2. On the right side of the navigation bar, choose on your account name, and then choose Security credentials. If necessary, choose Continue to Security credentials.

    Security credentials in the navigation menu

  3. In the Multi-factor authentication (MFA) section, choose the radio button next the MFA device that you want to deactivate and choose Remove.

  4. Choose Remove.

    The MFA device is deactivated for the Amazon Web Services account. Check the email that is associated with your Amazon Web Services account for a confirmation message from Amazon Web Services. The email informs you that your Amazon Web Services multi-factor authentication (MFA) has been deactivated. The message will come from @amazon.com or @aws.amazon.com.

Deactivating MFA devices (Amazon CLI)

To deactivate an MFA device for an IAM user (Amazon CLI)

Deactivating MFA devices (Amazon API)

To deactivate an MFA device for an IAM user (Amazon API)