Menu
AWS Identity and Access Management
User Guide

Synchronize MFA Devices

An MFA device can get out of synchronization. If the device is not synchronized when the user tries to use it, the user's sign-in attempt fails. If the user uses the MFA device to sign in to the AWS Management Console, IAM prompts the user to resynchronize the device.

IAM Console

To use the console to resynchronize an MFA device for a user

  1. Sign in to the IAM console at https://console.aws.amazon.com/iam/.

  2. In the navigation pane, choose Users, and then choose the name of the user whose MFA device needs to be resynchronized.

  3. Choose the Security credentials tab. Next to Assigned MFA device, choose the pencil icon ( ).

  4. In the Manage MFA Device wizard, choose Resynchronize MFA device, and then choose Next Step.

  5. Type the next two sequentially generated codes from the device into Authentication Code 1 and Authentication Code 2. Then choose Next Step.

    Important

    Submit your request immediately after generating the codes. If you generate the codes and then wait too long to submit the request, the request appears to work but the device remains out of sync. This happens because time-based one-time passwords (TOTP) expire after a short period of time.

AWS CLI

AWS CLI: aws iam resync-mfa-device

  • Virtual MFA device: specify Amazon Resource Name (ARN) of device as SerialNumber.

    Copy
    $ aws iam resync-mfa-device --user-name Bob --serial-number arn:aws:iam::123456789012:mfa/BobsMFA --authentication-code-1 123456 --authentication-code-2 987654
  • Physical MFA device: specify physical device's serial number as SerialNumber. The format is vendor specific.

    Copy
    PS C:\>Sync-IAMMFADevice -SerialNumber ABCD12345678 -AuthenticationCode1 123456 -AuthenticationCode2 987654 -UserName Bob

Important

Submit your request immediately after generating the codes. If you generate the codes and then wait too long to submit the request, the request fails because the codes expire after a short time.

Tools for Windows PowerShell

Tools for Windows PowerShell: Sync-IAMMFADevice

  • Virtual MFA device: specify Amazon Resource Name (ARN) of device as SerialNumber.

    Copy
    PS C:\>Sync-IAMMFADevice -UserName Bob -SerialNumber arn:aws:iam::123456789012:mfa/BobsMFA -AuthenticationCode1 123456 -AuthenticationCode2 987654
  • Physical MFA device: specify physical device's serial number as SerialNumber. The format is vendor specific.

    Copy
    PS C:\>Sync-IAMMFADevice -UserName Bob -SerialNumber ABCD12345678 -AuthenticationCode1 123456 -AuthenticationCode2 987654

Important

Submit your request immediately after generating the codes. If you generate the codes and then wait too long to submit the request, the request appears to work but the device remains out of sync. This happens because time-based one-time passwords (TOTP) expire after a short period of time.

IAM API

For those that prefer to work with the API, IAM has an API call that performs synchronization. In this case, we recommend that you give your MFA users permission to access this API call. You should build a tool based on that API call that lets your users resynchronize their devices whenever they need to.

IAM API: ResyncMFADevice