General steps for enabling MFA devices

A virtual MFA device, which is a software app that is compliant with RFC 6238, a standards-based TOTP (time-based one-time password) algorithm. You can install the app on a phone or other device. For a list of a few supported apps that you can use as virtual MFA devices, see Multi-Factor Authentication.

A FIDO security key with an Amazon supported configuration. The FIDO Alliance maintains a list of all FIDO Certified products that are compatible with FIDO specifications.

A hardware-based MFA device from a third-party provider, like a token device. These tokens are used exclusively with Amazon Web Services accounts. For more information, see Enabling a hardware TOTP token (console). You can only use tokens that have their unique token seeds shared securely with Amazon. Token seeds are secret keys generated at the time of token production. Tokens purchased from other sources will not function with IAM. To ensure compatibility, you must purchase your hardware MFA device from one of the following links: OTP token or OTP display card.

Virtual or Hardware TOTP tokens –You can use Amazon CLI commands or Amazon API operations to enable a virtual MFA device for an IAM user. You cannot enable an MFA device for the Amazon Web Services account root user with the Amazon CLI, Amazon API, Tools for Windows PowerShell, or any other command line tool. However, you can use the Amazon Web Services Management Console to enable an MFA device for the root user.

FIDO security keys – Root users and IAM users with FIDO security keys can enable from the Amazon Web Services Management Console only, not from the Amazon CLI or Amazon API.

Virtual MFA device: Enabling a virtual multi-factor authentication (MFA) device (console)

FIDO security key: Enabling a FIDO security key (console)

Hardware TOTP token: Enabling a hardware TOTP token (console)

We recommend that you enable multiple MFA devices to the Amazon Web Services account root user and IAM users in your Amazon Web Services accounts. This allows you to raise the security bar in your Amazon Web Services accounts and simplify managing access to highly privileged users, such as the Amazon Web Services account root user.

You can register up to eight MFA devices of any combination of the currently supported MFA types with your Amazon Web Services account root user and IAM users. With multiple MFA devices, you only need one MFA device to sign in to the Amazon Web Services Management Console or create a session through the Amazon CLI as that user. An IAM user must authenticate with an existing MFA device to enable or disable an additional MFA device.

In the event of a lost, stolen, or inaccessible MFA device you can use one of the remaining MFA devices to access the Amazon Web Services account without performing the Amazon Web Services account recovery procedure. If an MFA device is lost or stolen, it should be disassociated from the IAM principal with which it is associated.

The use of multiple MFAs allows your employees in geographically dispersed locations or working remotely to use hardware-based MFA to access Amazon without having to coordinate the physical exchange of a single hardware device between employees.

The use of additional MFA devices for IAM principals allows you to use one or more MFAs for everyday usage, while also maintaining physical MFA devices in a secure physical location such as a vault or safe for backup and redundancy.

FIDO security keys – To access an Amazon website, enter your credentials and then tap the FIDO security key when prompted.

Virtual MFA devices and hardware TOTP tokens – To access an Amazon website, you need an MFA code from the device in addition to your user name and password.

To access MFA-protected API operations, you need the following: