AWS Identity and Access Management
User Guide

Enabling MFA Devices

The steps for configuring MFA depend on the type of MFA device you are using.

General Steps for Enabling MFA Devices

The following overview procedure describes how to set up and use MFA and provides links to related information.

  1. Get an MFA device such as one of the following. You can enable only one MFA device per AWS account root user or IAM user.

  2. Enable the MFA device.

    • IAM users with virtual or hardware MFA devices: Enable from the AWS Management Console, AWS CLI, or the IAM API.

    • IAM users with U2F security keys or a mobile phone that can receive SMS text messages: Enable from the AWS Management Console only.

    • AWS account root users with any type of MFA device (except SMS MFA, which is not supported for root users): Enable from the AWS Management Console only.

    For information about enabling each type of MFA device, see the following pages:

  3. Use the MFA device when you log in to or access AWS resources. Note the following:

    • U2F security keys: To access an AWS website, enter your credentials and then tap the U2F security key when prompted.

    • Virtual MFA devices, hardware MFA devices, and SMS MFA devices: To access an AWS website, you need an MFA code from the device in addition to your user name and password. If AWS determines that the IAM user you sign in as is MFA-enabled with SMS, then it automatically sends the MFA code to the configured phone number.

      To access MFA-protected API operations, you need the following:

      • An MFA code

      • The identifier for the MFA device (the device serial number of a physical device or the ARN of a virtual or SMS device defined in AWS)

      • The usual access key ID and secret access key

    Notes

    • You cannot pass the MFA information for a U2F security key or SMS MFA device to AWS STS API operations to request temporary credentials.

    • You cannot use AWS CLI commands or AWS API operations to enable U2F security keys.

For more information, see Using MFA Devices With Your IAM Sign-in Page.