Enabling and managing virtual MFA devices (Amazon CLI or Amazon API) - Amazon Identity and Access Management
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Enabling and managing virtual MFA devices (Amazon CLI or Amazon API)

You can use Amazon CLI commands or Amazon API operations to enable a virtual MFA device for an IAM user. You cannot enable an MFA device for the Amazon Web Services account root user with the Amazon CLI, Amazon API, Tools for Windows PowerShell, or any other command line tool. However, you can use the Amazon Web Services Management Console to enable an MFA device for the root user.

When you enable an MFA device from the Amazon Web Services Management Console, the console performs multiple steps for you. If you instead create a virtual device using the Amazon CLI, Tools for Windows PowerShell, or Amazon API, then you must perform the steps manually and in the correct order. For example, to create a virtual MFA device, you must create the IAM object and extract the code as either a string or a QR code graphic. Then you must sync the device and associate it with an IAM user. See the Examples section of New-IAMVirtualMFADevice for more details. For a physical device, you skip the creation step and go directly to syncing the device and associating it with the user.

You can attach tags to your IAM resources, including virtual MFA devices, to identify, organize, and control access to them. You can tag virtual MFA devices only when you use the Amazon CLI or Amazon API.

An IAM user using the SDK or CLI can enable an additional MFA device by calling EnableMFADevice or deactivate an existing MFA device by calling DeactivateMFADevice. To do this successfully, they must first call GetSessionToken and submit MFA codes with an existing MFA device. This call returns temporary security credentials that can then be used to sign API operations that require MFA authentication. For an example request and response, see GetSessionToken—temporary credentials for users in untrusted environments.

To create the virtual device entity in IAM to represent a virtual MFA device

These commands provide an ARN for the device that is used in place of a serial number in many of the following commands.

To enable an MFA device for use with Amazon

These commands synchronize the device with Amazon and associate it with a user. If the device is virtual, use the ARN of the virtual device as the serial number.

Important

Submit your request immediately after generating the authentication codes. If you generate the codes and then wait too long to submit the request, the MFA device successfully associates with the user but the MFA device becomes out of sync. This happens because time-based one-time passwords (TOTP) expire after a short period of time. If this happens, you can resynchronize the device using the commands described below.

To deactivate a device

Use these commands to disassociate the device from the user and deactivate it. If the device is virtual, use the ARN of the virtual device as the serial number. You must also separately delete the virtual device entity.

To list virtual MFA device entities

Use these commands to list virtual MFA device entities.

To tag a virtual MFA device

Use these commands to tag a virtual MFA device.

To list tags for a virtual MFA device

Use these commands to list the tags attached to a virtual MFA device.

To untag a virtual MFA device

Use these commands to remove tags attached to a virtual MFA device.

To resynchronize an MFA device

Use these commands if the device is generating codes that are not accepted by Amazon. If the device is virtual, use the ARN of the virtual device as the serial number.

To delete a virtual MFA device entity in IAM

After the device is disassociated from the user, you can delete the device entity.

To recover a virtual MFA device that is lost or not working

Sometimes, a user's device that hosts the virtual MFA app is lost, replaced, or not working. When this happens, the user can't recover it on their own. The user must contact an administrator to deactivate the device. For more information, see What if an MFA device is lost or stops working?.