Enable a FIDO security key for the AWS account root user (console) - AWS Identity and Access Management

Enable a FIDO security key for the AWS account root user (console)

You can configure and enable a virtual MFA device for your root user from the AWS Management Console only, not from the AWS CLI or AWS API.

If your FIDO security key is lost, stolen, or not working, you can still sign in using another MFA device registered to the same AWS account root user. If you only have a single MFA device registered, you can sign in using alternate factors of identification. To learn about signing in using alternative factors of authentication, see What if an MFA device is lost or stops working?. To disable this feature, contact AWS Support.

To enable the FIDO key for your root user (console)
  1. Sign in to the IAM console as the account owner by choosing Root user and entering your AWS account email address. On the next page, enter your password.


    As the root user, you can't sign in to the Sign in as IAM user page. If you see the Sign in as IAM user page, choose Sign in using root user email near the bottom of the page. For help signing in as the root user, see Signing in to the AWS Management Console as the root user in the AWS Sign-In User Guide.

  2. On the right side of the navigation bar, choose your account name, and then choose Security credentials. If necessary, choose Continue to Security credentials.

            Security credentials in the navigation menu
  3. Expand the Multi-factor authentication (MFA) section.

  4. Choose Assign MFA device.

  5. In the wizard, type a Device name, choose Security Key, and then choose Next.

  6. Insert the FIDO security key into your computer's USB port.

            FIDO security key inserted into a USB port
  7. Tap the FIDO security key.

The FIDO security key is ready for use with AWS. The next time you use your root user credentials to sign in, you must tap your FIDO security key to complete the sign-in process.

For help troubleshooting issues with your FIDO security key, see Troubleshooting FIDO security keys.