AWS Identity and Access Management
User Guide

Using Multi-Factor Authentication (MFA) in AWS

For increased security, we recommend that you configure multi-factor authentication (MFA) to help protect your AWS resources. MFA adds extra security because it requires users to enter a unique authentication code from an approved authentication device or SMS text message when they access AWS websites or services.

  • Security token-based. This type of MFA requires you to assign an MFA device (hardware or virtual) to the IAM user or the AWS account root user. A virtual device is a software application running on a phone or other mobile device that emulates a physical device. Either way, the device generates a six digit numeric code based upon a time-synchronized one-time password algorithm. The user must enter a valid code from the device on a second web page during sign-in. Each MFA device assigned to a user must be unique; a user cannot enter a code from another user's device to authenticate. For more information about enabling security token-based MFA, see Enabling a Hardware MFA Device (AWS Management Console) and Enabling a Virtual Multi-factor Authentication (MFA) Device.

  • SMS text message-based. This type of MFA requires you to configure the IAM user with the phone number of the user's SMS-compatible mobile device. When the user signs in, AWS sends a six digit numeric code by SMS text message to the user's mobile device and requires the user to enter that code on a second web page during sign-in. Note that SMS-based MFA is available only for IAM users. You cannot use this type of MFA with the AWS account root user. For more information about enabling SMS text messaging-based MFA, see PREVIEW - Enabling SMS Text Message MFA Devices.


    SMS MFA is currently available only as a preview program. It is available to anyone who signs up to participate. To sign up, follow the instructions on the Multi-Factor Authentication details page.

No matter how the user receives the six digit numeric MFA code, the user enters it on a second page of the sign-in process for the AWS Management Console. If the user is working with the AWS STS API or CLI instead of the console, then you can pass hardware or virtual MFA device codes as parameters to STS APIs to get temporary credentials.


Currently, you can use SMS-based MFA only with AWS Management Console. You cannot use SMS-based MFA with the API or CLI.

This section shows you how to configure MFA for your users and set them up to use token devices or SMS text messages. It also describes how to synchronize and deactivate existing token devices, and what to do when a device is lost or stops working.


  • When you enable MFA for the root user, it affects only the root user credentials. IAM users in the account are distinct identities with their own credentials, and each identity has its own MFA configuration.

  • If you enable MFA on your AWS account (the root user) and also enable MFA on the associated account with the same email address, you will be prompted for two different MFA codes whenever you sign in as the root user.

For answers to commonly asked questions about AWS MFA, go to the AWS Multi-Factor Authentication FAQs.