Configure MFA in IAM Identity Center - Amazon IAM Identity Center
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Configure MFA in IAM Identity Center

You can configure MFA capabilities in IAM Identity Center when your identity source is configured with IAM Identity Center’s identity store, Amazon Managed Microsoft AD, or AD Connector. MFA in IAM Identity Center is currently not supported for external identity providers.

The following are general MFA recommendations, depending on your IAM Identity Center settings and organizational preferences.

  • Users are encouraged to register multiple backup authenticators for all enabled MFA types. This practice can prevent loss of access in case of a broken or misplaced MFA device.

  • Don't choose the Require Them to Provide a One-Time Password Sent by Email option if your users must sign in to the Amazon Web Services access portal to access their email. For example, your users might use Microsoft 365 in the Amazon Web Services access portal to read their email. In this case, users won't be able to retrieve the verification code and would be unable to sign in to the Amazon Web Services access portal. For more information, see Configure MFA device enforcement.

  • If you're already using RADIUS MFA that you configured with Amazon Directory Service, you don't need to enable MFA within IAM Identity Center. MFA in IAM Identity Center is an alternative to RADIUS MFA for Microsoft Active Directory users of IAM Identity Center. For more information, see RADIUS MFA.

  • The following YouTube video provides an overview of MFA and IAM Identity Center:

Topics