AWS Identity and Access Management
User Guide

Deactivating MFA Devices

You can deactivate an MFA device to disable it temporarily.


If you use the API or CLI to delete a user from your AWS account, you must deactivate or delete the user's MFA device as part of the process of removing the user. For more information about deleting users, see Managing IAM Users.

To use the console to deactivate an MFA device for a user

  1. Sign in to the IAM console at

  2. In the navigation pane, choose Users, and then choose the name of the user whose MFA device you want to delete.

  3. Choose the Security credentials tab. Next to Assigned MFA device, choose the pencil icon ( ).

  4. In the Manage MFA Device wizard, choose Deactivate MFA device, and then choose Next Step.

    The device is removed from AWS and cannot be used to sign in or authenticate requests until it is reactivated and associated with an AWS user or root account.

To deactivate the MFA device for your AWS root account

  1. Use your root credentials to sign in to the AWS Management Console.


    To manage MFA devices for the AWS account, you must sign in to AWS with your root account credentials. You cannot manage MFA devices for the root account with other credentials.

  2. On the navigation bar, choose your account name, and then choose Security Credentials. If a prompt appears, choose Continue to Security Credentials.

          Security Credentials in the navigation menu
  3. Expand the Multi-Factor Authentication (MFA) section.

  4. In the row for the MFA device that you want to deactivate, choose Deactivate.

The MFA device is deactivated for the AWS account.

To use the AWS CLI, Tools for Windows PowerShell, or AWS API to deactivate an MFA device for a user