Enabling a passkey or security key (console) - Amazon Identity and Access Management
Permissions requiredEnable a passkey or security key for your own IAM user (console)Enable a passkey or security key for another IAM user (console)Replace a passkey or security key
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Enabling a passkey or security key (console)

Passkeys are a type of multi-factor authentication (MFA) device that you can use to protect your Amazon resources. Amazon supports synced passkeys and device-bound passkeys also known as security keys.

Synced passkeys allow IAM users to access their FIDO sign-in credentials on many of their devices, even new ones, without having to re-enroll every device on every account. Synced passkeys include first-party credential managers like Google, Apple, and Microsoft and third-party credential managers such as 1Password, Dashlane, and Bitwarden as a second factor. You can also use on-device biometrics (e.g., TouchID, FaceID) to unlock your chosen credential manager to use passkeys.

Alternatively, device-bound passkeys are bound to a FIDO security key that you plug into a USB port on your computer and then tap when prompted to securely complete the sign-in process. If you already use a FIDO security key with other services, and it has an Amazon supported configuration (for example, the YubiKey 5 Series from Yubico), you can also use it with Amazon. Otherwise, you need to purchase a FIDO security key if you want to use WebAuthn for MFA in Amazon. Additionally, FIDO security keys can support multiple IAM or root users on the same device, enhancing their utility for account security. For specifications and purchase information for both device types, see Multi-Factor Authentication.

You can register up to eight MFA devices of any combination of the currently supported MFA types with your Amazon Web Services account root user and IAM users. With multiple MFA devices, you only need one MFA device to sign in to the Amazon Web Services Management Console or create a session through the Amazon CLI as that user. We recommend that you register multiple MFA devices. For example, you can register a built-in authenticator and also register a security key that you keep in a physically secure location. If you’re unable to use your built-in authenticator, then you can use your registered security key. For authenticator applications, we also recommend enabling the cloud backup or sync feature in those apps to help you avoid losing access to your account if you lose or break your device with the authenticator apps.

Note

We recommend that you require your human users to use temporary credentials when accessing Amazon. Your users can federate into Amazon with an identity provider where they authenticate with their corporate credentials and MFA configurations. To manage access to Amazon and business applications, we recommend that you use IAM Identity Center. For more information, see the IAM Identity Center User Guide.

Topics

Permissions required

To manage a FIDO passkey for your own IAM user while protecting sensitive MFA-related actions, you must have the permissions from the following policy:

Note

The ARN values are static values and are not an indicator of what protocol was used to register the authenticator. We have deprecated U2F, so all new implementations use WebAuthn.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowManageOwnUserMFA",
            "Effect": "Allow",
            "Action": [
                "iam:DeactivateMFADevice",
                "iam:EnableMFADevice",
                "iam:GetUser",
                "iam:ListMFADevices",
                "iam:ResyncMFADevice"
            ],
            "Resource": "arn:aws-cn:iam::*:user/${aws:username}"
        },
        {
            "Sid": "DenyAllExceptListedIfNoMFA",
            "Effect": "Deny",
            "NotAction": [
                "iam:EnableMFADevice",
                "iam:GetUser",
                "iam:ListMFADevices",
                "iam:ResyncMFADevice"
            ],
            "Resource": "*",
            "Condition": {
                "BoolIfExists": {
                    "aws:MultiFactorAuthPresent": "false"
                }
            }
        }
    ]
}

Enable a passkey or security key for your own IAM user (console)

You can enable a passkey or security key for your own IAM user from the Amazon Web Services Management Console only, not from the Amazon CLI or Amazon API. Before you can enable a security key, you must have physical access to the device.

To enable a passkey or security key for your own IAM user (console)

  1. Use your Amazon account ID or account alias, your IAM user name, and your password to sign in to the IAM console.

    Note

    For your convenience, the Amazon sign-in page uses a browser cookie to remember your IAM user name and account information. If you previously signed in as a different user, choose Sign in to a different account near the bottom of the page to return to the main sign-in page. From there, you can type your Amazon account ID or account alias to be redirected to the IAM user sign-in page for your account.

    To get your Amazon Web Services account ID, contact your administrator.

  2. In the navigation bar on the upper right, choose your user name, and then choose Security credentials.

    Amazon Web Services Management Console Security credentials link

  3. On the selected IAM user's page, choose the Security credentials tab.

  4. Under Multi-factor authentication (MFA), choose Assign MFA device.

  5. On the MFA device name page, enter a Device name, choose Passkey or Security Key, and then choose Next.

  6. On Set up device, set up your passkey. Create a passkey with biometric data like your face or fingerprint, with a device pin, or by inserting the FIDO security key into your computer's USB port and tapping it.

  7. Follow the instructions on your browser and then choose Continue.

You have now registered your passkey or security key for use with Amazon. For information about using MFA with the Amazon Web Services Management Console, see Using MFA devices with your IAM sign-in page.

Enable a passkey or security key for another IAM user (console)

You can enable a passkey or security for another IAM user from the Amazon Web Services Management Console only, not from the Amazon CLI or Amazon API.

To enable a passkey or security for another IAM user (console)

  1. Sign in to the Amazon Web Services Management Console and open the IAM console at https://console.amazonaws.cn/iam/.

  2. In the navigation pane, choose Users.

  3. Under Users, choose the name of the user for whom you want to enable MFA.

  4. On the selected IAM user page, choose the Security Credentials tab.

  5. Under Multi-factor authentication (MFA), choose Assign MFA device.

  6. On the MFA device name page, enter a Device name, choose Passkey or Security Key, and then choose Next.

  7. On Set up device, set up your passkey. Create a passkey with biometric data like your face or fingerprint, with a device pin, or by inserting the FIDO security key into your computer's USB port and tapping it.

  8. Follow the instructions on your browser and then choose Continue.

You have now registered a passkey or security key for another IAM user to use with Amazon. For information about using MFA with the Amazon Web Services Management Console, see Using MFA devices with your IAM sign-in page.

Replace a passkey or security key

You can have up to eight MFA devices of any combination of the currently supported MFA types assigned to a user at a time with your Amazon Web Services account root user and IAM users. If the user loses a FIDO authenticator or needs to replace it for any reason, you must first deactivate the old FIDO authenticator. Then you can add a new MFA device for the user.

If you don't have access to a new passkey or security key, you can enable a new virtual MFA device or hardware TOTP token. See one of the following for instructions: