Enabling a Virtual Multi-factor Authentication (MFA) Device
A virtual MFA device uses a software application to generate a six-digit authentication code that is compatible with the time-based one-time password (TOTP) standard, as described in RFC 6238. The app can run on mobile hardware devices, including smartphones. With most virtual MFA applications, you can host more than one virtual MFA device, which makes them more convenient than hardware MFA devices. However, you should be aware that because a virtual MFA might be run on a less secure device such as a smartphone, a virtual MFA might not provide the same level of security as a hardware MFA device.
You can enable only one MFA device per AWS account user or IAM user, and the device can only be used by the specified user. Keep in mind that although some virtual MFA software applications appear to support multiple accounts, each account you add represents a single virtual MFA device, and that one virtual device can still associate with only one user.
For a list of virtual MFA apps that you can use on smartphones and tablets (including Google Android, Apple iPhone and iPad, and Windows Phone), go to the Virtual MFA Applications section at http://aws.amazon.com/iam/details/mfa/. Note that AWS requires a virtual MFA app that produces a six-digit OTP.
Use the following steps to enable and manage MFA devices from the AWS Management Console. To enable and manage MFA devices at the command line, or to use the API, see Enable and manage virtual MFA devices (AWS CLI, Tools for Windows PowerShell, or AWS API).
We recommend that when you configure a virtual MFA device to use with AWS that you save a copy of the QR code or the secret key in a secure place. That way, if you lose the phone or have to reinstall the MFA software application for any reason, you can reconfigure the app to use the same virtual MFA and not need to create a new virtual MFA in AWS for the user or root account.
Enable a virtual MFA device for an IAM user (AWS Management Console)
You can use IAM in the AWS Management Console to enable a virtual MFA device for an IAM user in your account.
You must have physical access to the hardware that will host the user's virtual MFA device in order to configure MFA. For example, if you are configuring MFA for a user who will use a virtual MFA device running on a smartphone, you must have the smartphone available in order to finish the wizard. Because of this, you might want to let users configure and manage their own virtual MFA devices. In that case you must grant users the permissions to perform the necessary IAM actions. For more information and for an example of an IAM policy that grants these permissions, see Allow Users to Manage Only Their Own Virtual MFA Devices.
To enable a virtual MFA device for a user
Sign in to the IAM console at https://console.aws.amazon.com/iam/.
In the navigation pane, choose Users.
In the User Name list, choose the name of the intended MFA user.
Choose the Security Credentials tab, and then choose Manage MFA Device.
In the Manage MFA Device wizard, choose A virtual MFA device, and then choose Next Step.
IAM generates and displays configuration information for the virtual MFA device, including a QR code graphic. The graphic is a representation of the 'secret configuration key' that is available for manual entry on devices that do not support QR codes.
Open your virtual MFA application. (For a list of apps that you can use for hosting virtual MFA devices, see Virtual MFA Applications.) If the virtual MFA application supports multiple accounts (multiple virtual MFA devices), choose the option to create a new account (a new virtual MFA device).
Determine whether the MFA app supports QR codes, and then do one of the following:
Use the app to scan the QR code. For example, you might choose the camera icon or choose an option similar to Scan code, and then use the device's camera to scan the code.
In the Manage MFA Device wizard, choose Show secret key for manual configuration, and then type the secret configuration key into your MFA application.
When you are finished, the virtual MFA device starts generating one-time passwords.
In the Manage MFA Device wizard, in the Authentication Code 1 box, type the one-time password that currently appears in the virtual MFA device. Wait up to 30 seconds for the device to generate a new one-time password. Then type the second one-time password into the Authentication Code 2 box. Choose Active Virtual MFA.
The virtual MFA device is now ready for use with AWS. For information about using MFA with the AWS Management Console, see Using MFA Devices With Your IAM Sign-in Page.
Enable a virtual MFA device for your AWS root account (AWS Management Console)
You can use IAM in the AWS Management Console to configure and enable a virtual MFA device for your AWS root account.
To manage MFA devices for the AWS account, you must be signed in to AWS using your root account credentials. You cannot manage MFA devices for the root account using other credentials.
If you enable MFA on your AWS account (the root user) and also enable MFA on the associated Amazon.com account with the same email address, you will be prompted for two different MFA codes whenever you sign in as the root user.
To configure and enable a virtual MFA device for use with your root account
Sign in to the IAM console at https://console.aws.amazon.com/iam/.
Do one of the following:
Option 1: Choose Dashboard, and under Security Status, expand Activate MFA on your root account.
Option 2: On the right side of the navigation bar, choose your account name, and choose Security Credentials. If necessary, choose Continue to Security Credentials. Then expand the Multi-Factor Authentication (MFA) section on the page.
Choose Manage MFA or Activate MFA, depending on which option you chose in the preceding step.
In the wizard, choose A virtual MFA device and then choose Next Step.
Confirm that a virtual MFA application is installed on the device, and then choose Next Step. IAM generates and displays configuration information for the virtual MFA device, including a QR code graphic. The graphic is a representation of the secret configuration key that is available for manual entry on devices that do not support QR codes.
With the Manage MFA Device wizard still open, open the virtual MFA application on the device.
If the virtual MFA software supports multiple accounts (multiple virtual MFA devices), then choose the option to create a new account (a new virtual device).
The easiest way to configure the application is to use the application to scan the QR code. If you cannot scan the code, you can type the configuration information manually.
To use the QR code to configure the virtual MFA device, follow the app instructions for scanning the code. For example, you might need to tap the camera icon or tap a command like Scan account barcode, and then use the device's camera to scan the QR code.
If you cannot scan the code, type the configuration information manually by typing the Secret Configuration Key value into the application. For example, to do this in the AWS Virtual MFA application, choose Manually add account, and then type the secret configuration key and choose Create.
Make a secure backup of the QR code or secret configuration key, or make sure that you enable multiple virtual MFA devices for your account. If the virtual MFA device is unavailable (for example, if you lose the smartphone where the virtual MFA device is hosted), you will not be able to sign in to your account and you will have to contact customer service to remove MFA protection for the account.
The QR code and secret configuration key generated by IAM are tied to your AWS account and cannot be used with a different account. They can, however, be reused to configure a new MFA device for your account in case you lose access to the original MFA device.
The device starts generating six-digit numbers.
In the Manage MFA Device wizard, in the Authentication Code 1 box, enter the six-digit number that's currently displayed by the MFA device. Wait up to 30 seconds for the device to generate a new number, and then type the new six-digit number into the Authentication Code 2 box.
Choose Next Step, and then choose Finish.
The device is ready for use with AWS. For information about using MFA with the AWS Management Console, see Using MFA Devices With Your IAM Sign-in Page.
Replace or "Rotate" a Virtual MFA device
You can have only one virtual MFA device assigned to a user at a time. If the user loses a device or needs to replace it for any reason, you must first deactivate the old device. Then you can add the new device for the user.
To deactivate the device currently associated with a user, see Deactivating MFA devices.
To add a replacement virtual MFA device for an IAM user, follow the steps in the proecedure Enable a virtual MFA device for an IAM user (AWS Management Console) above.
To add a replacement virtual MFA device for the account root user, follow the steps in the proecedure Enable a virtual MFA device for your AWS root account (AWS Management Console) above.