AWS Identity and Access Management
Using IAM (API Version 2010-05-08)
Did this page help you?  Yes | No |  Tell us about it...
« PreviousNext »
View the PDF for this guide.Go to the AWS Discussion Forum for this product.Go to the Kindle Store to download this guide in Kindle format.

Using a Virtual MFA Device with AWS

To use a virtual MFA device with AWS, you must configure it for use with AWS, and then enable it. In this section you'll learn what a virtual MFA device is and what you need to do to configure and enable it.

A virtual MFA device uses a software application that generates six-digit authentication codes that are compatible with the Time-Based One-Time Password (TOTP) standard, as described in RFC 6238. The software application can run on mobile hardware devices, including smartphones. Most virtual MFA applications allow you to host more than one virtual MFA device, which makes them more convenient than hardware MFA devices. However, you should be aware that because a virtual MFA might be run on a less secure device such as a smartphone, a virtual MFA might not provide the same level of security as a hardware MFA device.

You can enable only one MFA device per account. Although some virtual MFA software applications appear to support multiple accounts, each account you add represents a single virtual MFA device, and that one virtual device can still associate with only one account.

For a list of virtual MFA apps that you can use on smartphones and tablets (including Google Android, Apple iPhone and iPad, and Windows Phone), see the Virtual MFA Applications section at Note that AWS requires a virtual MFA app that produces a six-digit OTP.