Menu
AWS Identity and Access Management
User Guide

What If an MFA Device Is Lost or Stops Working?

If your multi-factor authentication (MFA) device is lost, damaged, or not working, you can sign in using alternative methods of authentication. This means that if you can't sign in with your MFA device, you can sign in by verifying your identity using the email and phone that are registered with your account.

If the device appears to be functioning properly, but you cannot use it to access your AWS resources, then it simply might be out of synchronization with the AWS system. For information about synchronizing an MFA device, see Resynchronize MFA Devices.

Before you sign in using alternative factors of authentication, make sure that you have access to the email and phone number that are associated with your account.

Note

If you are using an AWS account created after September 14, 2017, you might see differences in the following console pages: Sign in with authentication device and Troubleshoot your authentication device. However, the same features are provided. In either case, if you cannot verify your account email address and phone number using alternative factors of authentication, contact AWS Support to deactivate your MFA setting.

To sign in using alternative factors of authentication as an AWS account root user

  1. On the Amazon Web Services Sign In With Authentication Device page, choose Having problems with your authentication device? Click here.

  2. If required, type your password again and choose Sign in.

  3. In the Sign In Using Alternative Factors of Authentication section, choose Sign in using alternative factors.

  4. To authenticate your account by verifying the email address, choose Send verification email.

  5. Check the email that is associated with your AWS account for a message from Amazon Web Services (no-reply-aws@amazon.com). Follow the directions in the email.

    If you don't see the email in your account, check your spam folder, or return to your browser and choose Resend the email.

  6. After you verify your email address, you can continue authenticating your account. To verify your phone number, choose Call me now.

  7. Answer the call from AWS and, when prompted, enter the 6-digit number from the AWS website on your phone keypad.

    If you don't receive a call from AWS, choose Sign in to sign in to the console again and start over. Or choose AWS Support to contact support for help.

  8. After you verify your phone number, you can sign in to your account by choosing Sign in to the console.

  9. If you are using a hardware MFA device, contact the third-party provider for help fixing or replacing the device. You can continue to sign in using alternative factors of authentication until you receive your new device. After you have the new physical MFA device, go to the AWS Security Credentials page and delete the old MFA hardware device entity before you create a new one.

    If you are using a virtual MFA device, remove the account from your device. Then go to the AWS Security Credentials page and delete the old MFA virtual device entity before you create a new one.

  10. If your MFA device is missing or stolen, also change your AWS password in case an attacker has stolen the authentication device and might also have your current password.

To get help for an MFA device as an IAM user

  1. Contact the system administrator or other person who gave you the user name and password for the IAM user. The administrator must deactivate the MFA device as described in Deactivating MFA Devices so that you can sign in.

  2. If you are using a hardware MFA device, contact the third-party provider for help fixing or replacing the device. After you have the new physical MFA device, enable the device as described in Enabling a Hardware MFA Device (Console).

    If you are using a virtual MFA device, remove the account from your device. Then enable the virtual device as described in Enabling a Virtual Multi-factor Authentication (MFA) Device.

  3. If your MFA device is missing or stolen, also change your password in case an attacker has stolen the authentication device and might also have your current password.