AWS Identity and Access Management
User Guide

Checking MFA Status

Use the IAM console to check whether an AWS root account or IAM user has a valid MFA device enabled.

To check the MFA status of a root account

  1. Sign in to the AWS Management Console with your AWS account (root) credentials and then open the IAM console at

  2. Check under Security Status to see whether MFA is enabled or disabled. If MFA has not been activated, an alert symbol ( 
            Alert icon
          ) is displayed next to Activate MFA on your root account.

If you want to enable MFA for the account, see Enable a Virtual MFA Device for Your AWS Root Account (AWS Management Console) or Enable a Hardware MFA Device for the AWS Account Root User (AWS Management Console).

To check the MFA status of an IAM user

  1. Open the IAM console at

  2. In the navigation pane, choose Users.

  3. Choose the name of the user whose MFA status you want to check, and then choose the Security credentials tab.

  4. If no MFA device is active for the user, the console displays No next to Assigned MFA device. If the user has an MFA device enabled, the Assigned MFA device item shows a value for the device:

    • The ARN in AWS for a virtual device, such as arn:aws:iam::123456789012:mfa/username

    • The ARN in AWS for an SMS device, such as arn:aws:iam::123456789012:sms-mfa/username

    • The device serial number of a hardware device (usually the number from the back of the device), such as GAHT12345678

If you want to change the current setting, choose the edit icon ( ) next to Assigned MFA Device . For virtual device information, see Enabling a Virtual Multi-factor Authentication (MFA) Device. For hardware device information, see Enabling a Hardware MFA Device (AWS Management Console).