Multi-factor authentication for AWS account root user
Multi-factor authentication (MFA) is a simple and effective mechanism to enhance your security. The first factor — your password — is a secret that you memorize, also known as a knowledge factor. Other factors can be possession factors (something you have, such as a security key) or inherence factors (something you are, such as a biometric scan). For increased security, we strongly recommend that you configure multi-factor authentication (MFA) to help protect your AWS resources.
You can enable MFA for the AWS account root user and IAM users. When you enable MFA for the root user, it only affects the root user credentials. For more information about how to enable MFA for your IAM users, see AWS Multi-factor authentication in IAM.
Before you enable MFA for your root user, review and update
your account settings and contact information to make sure that you have access to
the email and phone number. If your MFA device is lost, stolen, or not working, you can still
sign in as the root user by verifying your identity using that email and phone number. To learn
about signing in using alternative factors of authentication, see Recover an MFA protected identity in
IAM. To disable this feature, contact AWS Support
AWS supports the following MFA types for your root user:
Passkeys and security keys
AWS Identity and Access Management supports passkeys and security keys for MFA. Based on FIDO standards, passkeys use public key cryptography to provide strong, phishing-resistant authentication that is more secure than passwords. AWS supports two types of passkeys: device-bound passkeys (security keys) and synced passkeys.
-
Security keys: These are physical devices, like a YubiKey, used as a second factor for authentication. A single security key can support multiple root user accounts and IAM users.
-
Synced passkeys: These use credential managers from providers such as Google, Apple, Microsoft accounts, and third-party services like 1Password, Dashlane, and Bitwarden as a second factor.
You can use built-in biometric authenticators, like Touch ID on Apple MacBooks, to unlock your credential manager and sign in to AWS. Passkeys are created with your chosen provider using your fingerprint, face, or device PIN. You can sync passkeys across your devices to facilitate sign-ins with AWS, enhancing usability and recoverability.
IAM does not support local passkey registration for Windows Hello. To create and use
passkeys, Windows users should use cross-device authentication
Virtual authenticator applications
A virtual authenticator application runs on a phone or other device and emulates a
physical device. Virtual authenticator apps implement the time-based one-time password (TOTP)
algorithm
We do recommend that you use a virtual MFA device while waiting for hardware purchase
approval or while you wait for your hardware to arrive. For a list of a few supported apps
that you can use as virtual MFA devices, see Multi-Factor Authentication
(MFA)
Hardware TOTP tokens
A hardware device generates a six-digit numeric code based on the time-based one-time password (TOTP)
algorithm
If you want to use a physical MFA device, we recommend that you use FIDO security keys as an alternative to hardware TOTP devices. FIDO security keys offer the benefits of no battery requirements, phishing resistance, and they support multiple root and IAM users on a single device for enhanced security.
Topics
