Menu
AWS Identity and Access Management
User Guide

Checking MFA Status

Use the IAM console to check whether an AWS account root user or IAM user has a valid MFA device enabled.

To check the MFA status of a root user

  1. Sign in to the AWS Management Console with your root user credentials and then open the IAM console at https://console.aws.amazon.com/iam/.

  2. Check under Security Status to see whether MFA is enabled or disabled. If MFA has not been activated, an alert symbol ( 
            Alert icon
          ) is displayed next to Activate MFA on your root user.

If you want to enable MFA for the account, see Enable a Virtual MFA Device for Your AWS Account Root User (AWS Management Console) or Enable a Hardware MFA Device for the AWS Account Root User (AWS Management Console).

To check the MFA status of IAM users

  1. Open the IAM console at https://console.aws.amazon.com/iam/.

  2. In the navigation pane, choose Users.

  3. If necessary, add the MFA column to the users table by completing the following steps:

    1. Above the table on the far right, choose the settings icon ( 
                Settings icon
              ).

    2. In Manage Columns, select MFA.

    3. (Optional) Clear the check box for any column headings that you do not want to appear in the users table.

    4. Choose Close to return to the list of users.

  4. The MFA column tells you about the MFA device that is enabled. If no MFA device is active for the user, the console displays Not enabled. If the user has an MFA device enabled, the MFA column shows the type of device that is enabled with a value of Hardware, SMS, or Virtual.

  5. To view additional information about the MFA device for a user, choose the name of the user whose MFA status you want to check. Then choose the Security credentials tab.

  6. If no MFA device is active for the user, the console displays No next to Assigned MFA device. If the user has an MFA device enabled, the Assigned MFA device item shows a value for the device:

    • The device serial number of a hardware device (usually the number from the back of the device), such as GAHT12345678

    • The ARN in AWS for an SMS device, such as arn:aws:iam::123456789012:sms-mfa/username

    • The ARN in AWS for a virtual device, such as arn:aws:iam::123456789012:mfa/username

If you want to change the current setting, choose the edit icon ( ) next to Assigned MFA Device. For hardware device information, see Enabling a Hardware MFA Device (AWS Management Console). For SMS device information, see PREVIEW - Enabling SMS Text Message MFA Devices. For virtual device information, see Enabling a Virtual Multi-factor Authentication (MFA) Device.