AWS Identity and Access Management
User Guide

What If an MFA Device Is Lost or Stops Working?

If an MFA device stops working, is lost, or is destroyed, and you can't sign in to the AWS Management Console, then you need to deactivate the device. AWS can help you deactivate the device. The way that you get help depends on whether an MFA device is assigned to the AWS account root user or to a user within an AWS account.


If the device appears to be functioning properly, but you cannot use it to access your AWS resources, then it simply might be out of synchronization with the AWS system. For information about synchronizing an MFA device, see Synchronize MFA Devices.

To get help for an MFA device associated with an AWS account root user

  1. Go to the AWS Contact Us page for help with disabling AWS MFA so that you can temporarily access secure pages on the AWS website and the AWS Management Console with just your user name and password.

  2. Change your AWS password in case an attacker has stolen the authentication device and might also have your current password.

  3. If you are using a hardware MFA device, contact the third-party provider for help fixing or replacing the device. If the device is a virtual MFA device, delete the old MFA virtual device entity in IAM for the device before creating a new one.

  4. After you have the new physical MFA device or you have deleted the old entry from the mobile device, return to the AWS website and activate the MFA device to reenable AWS MFA for your AWS account. To manage a hardware MFA for your AWS account, go to the AWS Security Credentials page.

To get help for an MFA device associated with an IAM user

  • Contact the system administrator or other person who gave you the user name and password for the IAM user. The administrator must deactivate the MFA device as described in Deactivating MFA Devices.