Configure MFA device enforcement - Amazon IAM Identity Center
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Configure MFA device enforcement

Use the following procedure to determine whether your users must have a registered MFA device when signing in to the Amazon Web Services access portal.

To configure MFA device enforcement for your users
  1. Open the IAM Identity Center console.

  2. In the left navigation pane, choose Settings.

  3. On the Settings page, choose the Authentication tab.

  4. In the Multi-factor authentication section, choose Configure.

  5. On the Configure multi-factor authentication page, under If a user does not yet have a registered MFA device choose one of the following choices based on your business needs:

    • Require them to register an MFA device at sign in

      This is the default setting when you first configure MFA for IAM Identity Center. Use this option when you want to require users who do not yet have a registered MFA device, to self-enroll a device during sign-in following a successful password authentication. This allows you to secure your organization’s Amazon environments with MFA without having to individually enroll and distribute authentication devices to your users. During self-enrollment, your users can register any device from the available Available MFA types for IAM Identity Center you've previously enabled. After completing registration, users have the option to give their newly enrolled MFA device a friendly name, after which IAM Identity Center redirects the user to their original destination. If the user’s device is lost or stolen, you can simply remove that device from their account, and IAM Identity Center will require them to self-enroll a new device during their next sign-in.

    • Require them to provide a one-time password sent by email to sign in

      Use this option when you want to have verification codes sent to users by email. Because email is not bound to a specific device, this option does not meet the bar for industry-standard multi-factor authentication. But it does improve security over having a password alone. Email verification will only be requested if a user has not registered an MFA device. If the Context-aware authentication method has been enabled, the user will have the opportunity to mark the device on which they receive the email as trusted. Afterward they will not be required to verify an email code on future logins from that device, browser, and IP address combination.


      If you are using Active Directory as your IAM Identity Center enabled identity source, the email address will always be based on the Active Directory email attribute. Custom Active Directory attribute mappings will not override this behavior.

    • Block their sign-in

      Use the Block Their Sign-In option when you want to enforce MFA use by every user before they can sign in to Amazon.


      If your authentication method is set to Context-aware a user might select the This is a trusted device check box on the sign-in page. In that case, that user will not be prompted for MFA even if you have the Block their sign in setting enabled. If you want these users to be prompted, change your authentication method to Always On.

    • Allow them to sign in

      Use this option to indicate that MFA devices are not required in order for your users to sign in to the Amazon Web Services access portal. Users who chose to register MFA devices will still be prompted for MFA.

  6. Choose Save changes.