AWS Identity and Access Management
User Guide

The AWS Documentation website is getting a new look!
Try it now and let us know what you think. Switch to the new look >>

You can return to the original look by selecting English in the language selector above.

Deactivating MFA Devices

If you have having trouble signing in with a multi-factor authentication (MFA) device as an IAM user, contact your administrator for help.

As an administrator, you can deactivate the device for another IAM user. This allows the user to sign in without using MFA. You might do this as a temporary solution while the MFA device is replaced, or if the device is temporarily unavailable. However, we recommend that you enable a new device for the user as soon as possible. To learn how to enable a new MFA device, see Enabling MFA Devices.


If you use the API or AWS CLI to delete a user from your AWS account, you must deactivate or delete the user's MFA device. You make this change as part of the process of removing the user. For more information about deleting users, see Managing IAM Users.

Deactivating MFA Devices (Console)

To deactivate an MFA device for another IAM user (console)

  1. Sign in to the AWS Management Console and open the IAM console at

  2. In the navigation pane, choose Users.

  3. To deactivate the MFA device for a user, choose the name of the user whose MFA you want to remove.

  4. Choose the Security credentials tab. Next to Assigned MFA device, choose Manage.

  5. In the Manage MFA device wizard, choose Deactivate MFA device, and then choose Continue.

    The device is removed from AWS. It cannot be used to sign in or authenticate requests until it is reactivated and associated with an AWS user or AWS account root user.

To deactivate the MFA device for your AWS account root user (console)

  1. Use your AWS account email address and password to sign in to the AWS Management Console as the AWS account root user.


    If you previously signed in to the console with IAM user credentials, your browser might remember this preference and open your account-specific sign-in page. You cannot use the IAM user sign-in page to sign in with your AWS account root user credentials. If you see the IAM user sign-in page, choose Sign-in using root user credentials near the bottom of the page to return to the main sign-in page. From there, you can enter your AWS account email address and password.

  2. On the right side of the navigation bar, choose on your account name, and then choose My Security Credentials. If necessary, choose Continue to Security Credentials.

                  Security Credentials in the navigation menu
  3. Expand the Multi-factor authentication (MFA) section.

  4. In the row for the MFA device that you want to deactivate, choose Deactivate.

The MFA device is deactivated for the AWS account.

Deactivating MFA Devices (AWS CLI)

To deactivate an MFA device for an IAM user (AWS CLI)

Deactivating MFA Devices (AWS API)

To deactivate an MFA device for an IAM user (AWS API)