Enabling MFA devices for users in Amazon

A virtual MFA device, which is a software app that is compliant with RFC 6238, a standards-based TOTP (time-based one-time password) algorithm. You can install the app on a phone or other device. For a list of a few supported apps that you can use as virtual MFA devices, see Multi-Factor Authentication.

A FIDO security key with an Amazon supported configuration. The FIDO Alliance maintains a list of all FIDO Certified products that are compatible with FIDO specifications.

A hardware-based MFA device from a third-party provider like a token device. These tokens are used exclusively with Amazon Web Services accounts. For more information, see Enabling a hardware TOTP token (console). You can purchase these tokens directly from the manufacturers as a key fob or display card device.

Virtual or Hardware TOTP tokens –You can use Amazon CLI commands or Amazon API operations to enable a virtual MFA device for an IAM user. You cannot enable an MFA device for the Amazon Web Services account root user with the Amazon CLI, Amazon API, Tools for Windows PowerShell, or any other command line tool. However, you can use the Amazon Web Services Management Console to enable an MFA device for the root user.

FIDO security keys – Root users and IAM users with FIDO security keys can enable from the Amazon Web Services Management Console only, not from the Amazon CLI or Amazon API.

Virtual MFA device: Enabling a virtual multi-factor authentication (MFA) device (console)

FIDO security key: Enabling a FIDO security key (console)

Hardware TOTP token: Enabling a hardware TOTP token (console)

We recommend that you enable multiple MFA devices to the Amazon Web Services account root user and IAM users in your Amazon Web Services accounts. This allows you to raise the security bar in your Amazon Web Services accounts and simplify managing access to highly privileged users, such as the Amazon Web Services account root user.

You can register up to eight MFA devices of any combination of the currently supported MFA types with your Amazon Web Services account root user and IAM users. With multiple MFA devices, you only need one MFA device to sign in to the Amazon Web Services Management Console or create a session through the Amazon CLI as that user.

In the event of a lost, stolen, or inaccessible MFA device you can use one of the remaining MFA devices to access the Amazon Web Services account without performing the Amazon Web Services account recovery procedure. If an MFA device is lost or stolen, it is best practice to disassociate the lost or stolen device from all IAM users it may be associated with.

Allow your employees in geographically dispersed locations or working remotely to use hardware-based MFA to access Amazon without shipping a single hardware device or coordinating a physical exchange of a single hardware device between employees.

Maintain access to your users in Amazon by using a different MFA device associated with an IAM user if for any reason the holder of one MFA device is not available.

Storing additional MFA devices associated with your Amazon Web Services account root user and IAM users in a secure physical location such as a vault or safe while retaining physical access to another MFA device for redundancy.

FIDO security keys – To access an Amazon website, enter your credentials and then tap the FIDO security key when prompted.

Virtual MFA devices and hardware TOTP tokens – To access an Amazon website, you need an MFA code from the device in addition to your user name and password.

To access MFA-protected API operations, you need the following: