Enable a hardware TOTP token for the AWS account root user (console) - AWS Identity and Access Management

Enable a hardware TOTP token for the AWS account root user (console)

You can configure and enable a physical MFA device for your root user from the AWS Management Console only, not from the AWS CLI or AWS API.


You might see different text, such as Sign in using MFA and Troubleshoot your authentication device. However, the same features are provided. In either case, if you cannot verify your account email address and phone number using alternative factors of authentication, contact AWS Support to deactivate your MFA setting.

To enable the MFA device for your root user (console)
  1. Sign in to the IAM console as the account owner by choosing Root user and entering your AWS account email address. On the next page, enter your password.


    As the root user, you can't sign in to the Sign in as IAM user page. If you see the Sign in as IAM user page, choose Sign in using root user email near the bottom of the page. For help signing in as the root user, see Signing in to the AWS Management Console as the root user in the AWS Sign-In User Guide.

  2. On the right side of the navigation bar, choose on your account name, and then choose Security credentials. If necessary, choose Continue to Security credentials.

    Security credentials in the navigation menu
  3. Expand the Multi-factor authentication (MFA) section.

  4. Choose Assign MFA device.

  5. In the wizard, type a Device name, choose Hardware TOTP token, and then choose Next.

  6. In the Serial number box, type the serial number that is found on the back of the MFA device.

  7. In the MFA code 1 box, type the six-digit number displayed by the MFA device. You might need to press the button on the front of the device to display the number.

    IAM Dashboard, MFA Device
  8. Wait 30 seconds while the device refreshes the code, and then type the next six-digit number into the MFA code 2 box. You might need to press the button on the front of the device again to display the second number.

  9. Choose Add MFA. The MFA device is now associated with the AWS account.


    Submit your request immediately after generating the authentication codes. If you generate the codes and then wait too long to submit the request, the MFA device successfully associates with the user but the MFA device becomes out of sync. This happens because time-based one-time passwords (TOTP) expire after a short period of time. If this happens, you can resync the device.

    The next time you use your root user credentials to sign in, you must type a code from the MFA device.