Menu
AWS GovCloud (US)
User Guide

Enabling Multi-Factor Authentication (MFA)

For increased security, we recommend that you configure multi-factor authentication (MFA) to help protect your AWS GovCloud (US) resources. MFA adds extra security because it requires users to enter a unique authentication code from an approved authentication device when they access AWS websites or services.

AWS GovCloud (US) offers security token-based MFA. You must assign an MFA device (hardware or virtual) to the IAM user or the AWS root account. The device generates a six-digit numeric code based on a time-synchronized, one-time password algorithm. The user must enter a valid code from the device on a second web page during sign-in. Each MFA device assigned to a user must be unique. A user cannot authenticate by entering a code from another user's device.

The following high-level procedure describes how to set up and use MFA in AWS GovCloud (US) and provides links to related information.

  1. Get an MFA token device. You can enable only one MFA device per IAM user. The device can be used by the specified user only.

    • A hardware-based token device, such as one of the AWS-supported hardware token devices listed under the “Hardware Key Fob MFA Device for AWS GovCloud (US)” section of the Multi-Factor Authentication page.

    • A virtual token device, which is a software application that is compliant with RFC 6238, a standards-based, time-based one-time password (TOTP) algorithm. You can install the application on a mobile device, such as a tablet or smartphone. For a list of apps you can use as virtual MFA devices, see the "Virtual MFA Applications" section of the Multi-Factor Authentication page.

  2. Enable the MFA device. There are two steps to enabling a device. First, you create an MFA device entity in IAM. Second, you associate the MFA device entity with the IAM user. You can perform these tasks in the AWS Management Console, the AWS CLI, AWS Tools for Windows PowerShell, or the IAM API.

    For information about enabling MFA devices, see the following topics:

  3. Use the MFA device when you sign in to or access AWS resources.

For more information, see Using MFA Devices with Your IAM Sign-in Page and Enabling a Virtual Multi-Factor Authentication (MFA) Device.