Enabling MFA devices for users in Amazon
The steps for configuring MFA depend on the type of MFA device you are using.
Topics
General steps for enabling MFA devices
The following overview procedure describes how to set up and use MFA and provides links to related information.
You can also watch this English-language video, How to Setup Amazon Multi-Factor
Authentication (MFA) and Amazon Budget Alerts
-
Get an MFA device such as one of the following. You can enable up to eight MFA devices per Amazon Web Services account root user or IAM user of any combination of the following types.
-
A virtual MFA device, which is a software app that is compliant with RFC 6238, a standards-based TOTP (time-based one-time password) algorithm
. You can install the app on a phone or other device. For a list of a few supported apps that you can use as virtual MFA devices, see Multi-Factor Authentication . -
A FIDO security key with an Amazon supported configuration. The FIDO Alliance maintains a list of all FIDO Certified products
that are compatible with FIDO specifications. -
A hardware-based MFA device from a third-party provider like a token device. These tokens are used exclusively with Amazon Web Services accounts. For more information, see Enabling a hardware TOTP token (console). You can purchase these tokens directly from the manufacturers as a key fob or display card device.
-
-
Enable the MFA device.
-
Virtual or Hardware TOTP tokens –You can use Amazon CLI commands or Amazon API operations to enable a virtual MFA device for an IAM user. You cannot enable an MFA device for the Amazon Web Services account root user with the Amazon CLI, Amazon API, Tools for Windows PowerShell, or any other command line tool. However, you can use the Amazon Web Services Management Console to enable an MFA device for the root user.
-
FIDO security keys – Root users and IAM users with FIDO security keys can enable from the Amazon Web Services Management Console only, not from the Amazon CLI or Amazon API.
For information about enabling each type of MFA device, see the following pages:
-
Virtual MFA device: Enabling a virtual multi-factor authentication (MFA) device (console)
-
FIDO security key: Enabling a FIDO security key (console)
-
Hardware TOTP token: Enabling a hardware TOTP token (console)
-
-
Enable Multiple MFA devices (recommended)
-
We recommend that you enable multiple MFA devices to the Amazon Web Services account root user and IAM users in your Amazon Web Services accounts. This allows you to raise the security bar in your Amazon Web Services accounts and simplify managing access to highly privileged users, such as the Amazon Web Services account root user.
-
You can register up to eight MFA devices of any combination of the currently supported MFA types
with your Amazon Web Services account root user and IAM users. With multiple MFA devices, you only need one MFA device to sign in to the Amazon Web Services Management Console or create a session through the Amazon CLI as that user. -
In the event of a lost, stolen, or inaccessible MFA device you can use one of the remaining MFA devices to access the Amazon Web Services account without performing the Amazon Web Services account recovery procedure. If an MFA device is lost or stolen, it is best practice to disassociate the lost or stolen device from all IAM users it may be associated with.
-
Allow your employees in geographically dispersed locations or working remotely to use hardware-based MFA to access Amazon without shipping a single hardware device or coordinating a physical exchange of a single hardware device between employees.
-
Maintain access to your users in Amazon by using a different MFA device associated with an IAM user if for any reason the holder of one MFA device is not available.
-
Storing additional MFA devices associated with your Amazon Web Services account root user and IAM users in a secure physical location such as a vault or safe while retaining physical access to another MFA device for redundancy.
-
-
Use the MFA device when you log in to or access Amazon resources. Note the following:
-
FIDO security keys – To access an Amazon website, enter your credentials and then tap the FIDO security key when prompted.
-
Virtual MFA devices and hardware TOTP tokens – To access an Amazon website, you need an MFA code from the device in addition to your user name and password.
To access MFA-protected API operations, you need the following:
-
An MFA code
-
The identifier for the MFA device (the device serial number of a physical device or the ARN of a virtual device defined in Amazon)
-
The usual access key ID and secret access key
-
Notes -
You cannot pass the MFA information for a FIDO security key to Amazon STS API operations to request temporary credentials.
-
You cannot use Amazon CLI commands or Amazon API operations to enable FIDO security keys.
-
For more information, see Using MFA devices with your IAM sign-in page.