Enable a hardware TOTP token for the root user (console) - AWS Identity and Access Management

Enable a hardware TOTP token for the root user (console)

You can configure and enable a physical MFA device for your root user from the AWS Management Console only, not from the AWS CLI or AWS API.

Note

You might see different text, such as Sign in using MFA and Troubleshoot your authentication device. However, the same features are provided. In either case, if you cannot verify your account email address and phone number using alternative factors of authentication, contact AWS Support to deactivate your MFA setting.

To enable a hardware TOTP token for your root user (console)
  1. Open the AWS Management Console and sign in using your root user credentials.

    For instructions, see Sign in to the AWS Management Console as the root user in the AWS Sign-In User Guide.

  2. On the right side of the navigation bar, choose your account name, and then choose Security credentials.

    Security credentials in the navigation menu
  3. Expand the Multi-factor authentication (MFA) section.

  4. Choose Assign MFA device.

  5. In the wizard, type a Device name, choose Hardware TOTP token, and then choose Next.

  6. In the Serial number box, type the serial number that is found on the back of the MFA device.

  7. In the MFA code 1 box, type the six-digit number displayed by the MFA device. You might need to press the button on the front of the device to display the number.

    IAM Dashboard, MFA Device
  8. Wait 30 seconds while the device refreshes the code, and then type the next six-digit number into the MFA code 2 box. You might need to press the button on the front of the device again to display the second number.

  9. Choose Add MFA. The MFA device is now associated with the AWS account.

    Important

    Submit your request immediately after generating the authentication codes. If you generate the codes and then wait too long to submit the request, the MFA device successfully associates with the user but the MFA device becomes out of sync. This happens because time-based one-time passwords (TOTP) expire after a short period of time. If this happens, you can resync the device.

    The next time you use your root user credentials to sign in, you must type a code from the MFA device.