Menu
AWS Identity and Access Management
IAM User Guide

Enabling a Virtual Multi-factor Authentication (MFA) Device

A virtual MFA device uses a software application to generate a six-digit authentication code that is compatible with the time-based one-time password (TOTP) standard, as described in RFC 6238. The app can run on mobile hardware devices, including smartphones. With most virtual MFA applications, you can host more than one virtual MFA device, which makes them more convenient than hardware MFA devices. However, you should be aware that because a virtual MFA might be run on a less secure device such as a smartphone, a virtual MFA might not provide the same level of security as a hardware MFA device.

An MFA device can be associated with only one AWS account or IAM user. Although some virtual MFA software applications appear to support multiple accounts, each account you add represents a single virtual MFA device, and that one virtual device can still associate with only one account or user.

For a list of virtual MFA apps that you can use on smartphones and tablets (including Google Android, Apple iPhone and iPad, and Windows Phone), go to the Virtual MFA Applications section at http://aws.amazon.com/iam/details/mfa/. Note that AWS requires a virtual MFA app that produces a six-digit OTP.

Use the following steps to enable and manage MFA devices from the AWS Management Console. To enable and manage MFA devices at the command line, or to use the API, see Enable and manage virtual MFA devices (AWS CLI, Tools for Windows PowerShell, or AWS API).

Important

We recommend that when you configure a virtual MFA device to use with AWS that you save a copy of the QR code or the secret key in a secure place. That way, if you lose the phone or have to reinstall the MFA software application for any reason, you can reconfigure the app to use the same virtual MFA and not need to create a new virtual MFA in AWS for the user or root account.

Enable a virtual MFA device for an IAM user (AWS Management Console)

You can use IAM in the AWS Management Console to enable a virtual MFA device for an IAM user in your account.

Note

You must have physical access to the hardware that will host the user's virtual MFA device in order to configure MFA. For example, if you are configuring MFA for a user who will use a virtual MFA device running on a smartphone, you must have the smartphone available in order to finish the wizard. Because of this, you might want to let users configure and manage their own virtual MFA devices. In that case you must grant users the permissions to perform the necessary IAM actions. For more information and for an example of an IAM policy that grants these permissions, see Allow Users to Manage Only Their Own Virtual MFA Devices.

To enable a virtual MFA device for a user

  1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.

  2. In the navigation pane, choose Users.

  3. In the User Name list, choose the name of the intended MFA user.

  4. Scroll down to the Security Credentials section, and then choose Manage MFA Device.

  5. In the Manage MFA Device wizard, choose A virtual MFA device, and then choose Next Step.

    IAM generates and displays configuration information for the virtual MFA device, including a QR code graphic. The graphic is a representation of the 'secret configuration key' that is available for manual entry on devices that do not support QR codes.

  6. Open your virtual MFA application. (For a list of apps that you can use for hosting virtual MFA devices, see Virtual MFA Applications.) If the virtual MFA application supports multiple accounts (multiple virtual MFA devices), choose the option to create a new account (a new virtual MFA device).

  7. Determine whether the MFA app supports QR codes, and then do one of the following:

    • Use the app to scan the QR code. For example, you might choose the camera icon or choose an option similar to Scan code, and then use the device's camera to scan the code.

    • In the Manage MFA Device wizard, choose Show secret key for manual configuration, and then type the secret configuration key into your MFA application.

    When you are finished, the virtual MFA device starts generating one-time passwords.

  8. In the Manage MFA Device wizard, in the Authentication Code 1 box, type the one-time password that currently appears in the virtual MFA device. Wait up to 30 seconds for the device to generate a new one-time password. Then type the second one-time password into the Authentication Code 2 box. Choose Active Virtual MFA.

The virtual MFA device is now ready for use with AWS. For information about using MFA with the AWS Management Console, see Using MFA Devices With Your IAM-Enabled Sign-in Page.

Enable a virtual MFA device for your AWS root account (AWS Management Console)

You can use IAM in the AWS Management Console to configure and enable a virtual MFA device for your AWS root account.

Important

To manage MFA devices for the AWS account, you must be signed in to AWS using your root account credentials. You cannot manage MFA devices for the root account using other credentials.

To configure and enable a virtual MFA device for use with your root account

  1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.

  2. Do one of the following:

    • Option 1: Choose Dashboard, and under Security Status, expand Activate MFA on your root account.

    • Option 2: On the right side of the navigation bar, choose your account name, and click Security Credentials. If necessary, click Continue to Security Credentials. Then expand the Multi-Factor Authentication (MFA) section on the page.

      Security Credentials in the navigation menu
  3. Click Manage MFA or Activate MFA, depending on which option you chose in the preceding step.

  4. In the wizard, select A virtual MFA device and then click Next Step.

  5. Confirm that a virtual MFA application is installed on the device, and then click Next Step. IAM generates and displays configuration information for the virtual MFA device, including a QR code graphic. The graphic is a representation of the secret configuration key that is available for manual entry on devices that do not support QR codes.

  6. With the Manage MFA Device wizard still open, open the virtual MFA application on the device.

  7. If the virtual MFA software supports multiple accounts (multiple virtual MFA devices), then select the option to create a new account (a new virtual device).

  8. The easiest way to configure the application is to use the application to scan the QR code. If you cannot scan the code, you can type the configuration information manually.

    • To use the QR code to configure the virtual MFA device, follow the app instructions for scanning the code. For example, you might need to tap the camera icon or tap a command like Scan account barcode, and then use the device's camera to scan the QR code.

    • If you cannot scan the code, type the configuration information manually by typing the Secret Configuration Key value into the application. For example, to do this in the AWS Virtual MFA application, choose Manually add account, and then type the secret configuration key and choose Create.

    Important

    Make a secure backup of the QR code or secret configuration key, or make sure that you enable multiple virtual MFA devices for your account. If the virtual MFA device is unavailable (for example, if you lose the smartphone where the virtual MFA device is hosted), you will not be able to sign in to your account and you will have to contact customer service to remove MFA protection for the account.

    Note

    The QR code and secret configuration key generated by IAM are tied to your AWS account and cannot be used with a different account. They can, however, be reused to configure a new MFA device for your account in case you lose access to the original MFA device.

    The device starts generating six-digit numbers.

  9. In the Manage MFA Device wizard, in the Authentication Code 1 box, type the six-digit number that's currently displayed by the MFA device. Wait up to 30 seconds for the device to generate a new number, and then type the new six-digit number into the Authentication Code 2 box.

  10. Click Next Step, and then click Finish.

The device is ready for use with AWS. For information about using MFA with the AWS Management Console, see Using MFA Devices With Your IAM-Enabled Sign-in Page.

Installing the AWS Virtual MFA Mobile Application

To download and install the AWS Virtual MFA application, go to the Amazon Appstore for Android and locate the AWS Virtual MFA application. Download the application and follow the on-screen instructions to complete the installation.

For information about configuring and enabling the AWS Virtual MFA device for use with AWS, see Enabling a Virtual Multi-factor Authentication (MFA) Device.

To open the Amazon Appstore for Android on a smartphone, scan this code with any QR code reader application.

This QR code contains the Amazon Appstore web address http://www.amazon.com/gp/feature.html?ie=UTF8&docId=1000645111