Menu
AWS Identity and Access Management
User Guide

PREVIEW - Enabling SMS Text Message MFA Devices

AWS is no longer accepting new participants for the SMS MFA preview. We encourage you to use MFA on your AWS account through either a hardware-based or virtual (software-based) MFA token device.

If your account is already participating in the SMS MFA Preview program, you can continue using this feature.

An SMS MFA device can be any mobile device with a phone number that can receive standard SMS text messages. When an MFA code is needed, AWS sends it to the phone number that is configured for the IAM user.

Note

SMS MFA can be used only with IAM users. It cannot be used with the AWS account root user. To protect the root user with MFA, you must use either a hardware-based or virtual (software-based) MFA token device.

Enable an SMS MFA Device for an IAM User (AWS Management Console)

Note

Currently, you can manage SMS MFA only in the AWS Management Console.

You can use IAM in the AWS Management Console to configure an IAM user with a phone number to enable SMS MFA.

To enable SMS MFA for an IAM user (console)

  1. Use your AWS account ID or account alias, your IAM user name, and your password to sign in to the IAM console.

    Note

    For your convenience, the AWS sign-in page uses a browser cookie to remember your IAM user name and account information. If you previously signed in as a different user, choose Sign in to a different account near the bottom of the page to return to the main sign-in page. From there, you can type your AWS account ID or account alias to be redirected to the IAM user sign-in page for your account.

  2. In the navigation pane, choose Users.

  3. In the User Name list, choose the name (not the check box) of the intended MFA user.

  4. Choose the Security credentials tab. Next to Assigned MFA device, choose the pencil icon ( ).

  5. In the Manage MFA Device wizard, choose An SMS MFA device, and then choose Next Step.

  6. Type the phone number to which you want to send MFA codes for this IAM user, and then choose Next Step.

  7. A six-digit authentication code is immediately sent to the specified phone number for verification. Type the six-digit code and then choose Next Step. If the code does not arrive in a reasonable amount of time), choose Resend Code. Note that SMS is not a service with a guaranteed delivery time.

  8. If AWS successfully verifies the code, the wizard ends. Otherwise, choose Finish to close the wizard.

Change the Phone Number for SMS MFA for an IAM User

To change the phone number of the SMS MFA device assigned to an IAM user, you must delete the current MFA device. Then create a new device with the new phone number. To learn how to delete a device, see Deactivating MFA Devices. To create a new device, see the previous procedures in this topic.