AWS Documentation » AWS Identity and Access Management » User Guide » Identities (Users, Groups, and Roles) » IAM Users » Using Multi-Factor Authentication (MFA) in AWS » Enabling MFA Devices » Enabling a Hardware MFA Device (AWS Management Console)

Enabling a Hardware MFA Device (AWS Management Console)

Topics

• Enable a Hardware MFA Device for an IAM User (AWS Management Console)
• Enable a Hardware MFA Device for the AWS Account Root User (AWS Management Console)
• Replace or "Rotate" a Physical MFA Device

You can enable a hardware MFA device from the AWS Management Console, the command line, or the IAM API. The following procedure shows you how to use the AWS Management Console to enable the device for a user under your AWS account. To enable an MFA device for your AWS account root user, see Enable a Hardware MFA Device for the AWS Account Root User (AWS Management Console).

You can enable one MFA device (of any kind) per root user or IAM user.

Note

If you want to enable the device from the command line, use aws iam enable-mfa-device. To enable the MFA device with the IAM API, use the EnableMFADevice action.

Enable a Hardware MFA Device for an IAM User (AWS Management Console)

You can enable a hardware MFA device from the AWS Management Console.

To use the AWS Management Console to enable a hardware MFA device for an IAM user

1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.

2. In the navigation pane, choose Users.

3. Choose the name of the user for whom you want to enable MFA, and then choose the Security credentials tab.

4. Next to Assigned MFA device, choose the pencil icon ( ).

5. In the Manage MFA Device wizard, choose A hardware MFA device and then choose Next Step.

6. Type the device serial number. The serial number is usually on the back of the device.

7. In the Authentication Code 1 box, type the six-digit number displayed by the MFA device. You might need to press the button on the front of the device to display the number.

   

8. Wait 30 seconds while the device refreshes the code, and then type the next six-digit number into the Authentication Code 2 box. You might need to press the button on the front of the device again to display the second number.

9. Choose Next Step.

   Important

   Submit your request immediately after generating the authentication codes. If you generate the codes and then wait too long to submit the request, the MFA device successfully associates with the user but the MFA device becomes out of sync. This happens because time-based one-time passwords (TOTP) expire after a short period of time. If this happens, you can resync the device.

The device is ready for use with AWS. For information about using MFA with the AWS Management Console, see Using MFA Devices With Your IAM Sign-in Page.

Enable a Hardware MFA Device for the AWS Account Root User (AWS Management Console)

You can manage MFA devices for the root user only with the AWS Management Console.

To use the AWS Management Console to enable the MFA device for your root user

1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.

   Important

   To manage MFA devices for the AWS account, you must use your root user credentials to sign in to AWS. You cannot manage MFA devices for the root user while signed in with other credentials.

   Note

   If you enable MFA on your AWS account (the root user) and also enable MFA on the associated Amazon.com account with the same email address, you will be prompted for two different MFA codes whenever you sign in as the root user.

2. Do one of the following:

   • Option 1: Choose Dashboard, and under Security Status, expand Activate MFA on your root account.

   • Option 2: On the right side of the navigation bar, choose on your account name, and then choose Security Credentials. If necessary, choose Continue to Security Credentials. Then expand the Multi-Factor Authentication (MFA) section on the page.

     

3. Choose Manage MFA or Activate MFA, depending on which option you chose in the preceding step.

4. In the wizard, choose A hardware MFA device and then choose Next Step.

5. In the Serial Number box, enter the serial number that is found on the back of the MFA device.

6. In the Authentication Code 1 box, enter the six-digit number displayed by the MFA device. You might need to press the button on the front of the device to display the number.

   

7. Wait 30 seconds while the device refreshes the code, and then enter the next six-digit number into the Authentication Code 2 box. You might need to press the button on the front of the device again to display the second number.

8. Choose Next Step. The MFA device is now associated with the AWS account.

   Important

   Submit your request immediately after generating the authentication codes. If you generate the codes and then wait too long to submit the request, the MFA device successfully associates with the user but the MFA device becomes out of sync. This happens because time-based one-time passwords (TOTP) expire after a short period of time. If this happens, you can resync the device.

   The next time you use your root user credentials to sign in, you must type a code from the MFA device.

Replace or "Rotate" a Physical MFA Device

You can have only one MFA device assigned to a user at a time. If the user loses a device or needs to replace it for any reason, you must first deactivate the old device. Then you can add the new device for the user.

• To deactivate the device currently associated with a user, see Deactivating MFA Devices.

• To add a replacement hardware MFA device for an IAM user, follow the steps in the procedure Enable a Hardware MFA Device for an IAM User (AWS Management Console) above.

• To add a replacement virtual MFA device for the AWS account root user, follow the steps in the procedure Enable a Hardware MFA Device for the AWS Account Root User (AWS Management Console) above.