Enabling a hardware MFA device (console)
A hardware MFA device generates a six-digit numeric code based upon a time-synchronized one-time password algorithm. The user must type a valid code from the device when prompted during the sign-in process. Each MFA device assigned to a user must be unique; a user cannot type a code from another user's device to be authenticated.
Hardware MFA devices and FIDO security
keys are both physical devices that you purchase. The difference is that hardware MFA
devices generate a code that you view and then enter when prompted when signing it to AWS.
With a FIDO security key, you don't see or type an authentication code. Instead, the FIDO security
key generates a response without presenting it to the user and the service validates it. For
specifications and purchase information for both device types, see Multi-Factor Authentication
You can enable a hardware MFA device for an IAM user from the AWS Management Console, the command line, or the IAM API. To enable an MFA device for your AWS account root user, see Enable a hardware MFA device for the AWS account root user (console).
You can enable one MFA device (of any kind) per root user or IAM user.
If you want to enable the device from the command line, use iam-userenablemfadevice
aws iam
enable-mfa-device. To enable the MFA device with the IAM API, use the EnableMFADevice operation.
Topics
Permissions required
To manage a hardware MFA device for your own IAM user while protecting sensitive MFA-related actions, you must have the permissions from the following policy:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowManageOwnUserMFA", "Effect": "Allow", "Action": [ "iam:DeactivateMFADevice", "iam:EnableMFADevice", "iam:GetUser", "iam:ListMFADevices", "iam:ResyncMFADevice" ], "Resource": "arn:aws:iam::*:user/${aws:username}" }, { "Sid": "DenyAllExceptListedIfNoMFA", "Effect": "Deny", "NotAction": [ "iam:EnableMFADevice", "iam:GetUser", "iam:ListMFADevices", "iam:ResyncMFADevice" ], "Resource": "arn:aws:iam::*:user/${aws:username}", "Condition": { "BoolIfExists": { "aws:MultiFactorAuthPresent": "false" } } } ] }
Enable a hardware MFA device for your own IAM user (console)
You can enable your own hardware MFA device from the AWS Management Console.
Before you can enable a hardware MFA device, you must have physical access to the device.
To enable a hardware MFA device for your own IAM user (console)
-
Use your AWS account ID or account alias, your IAM user name, and your password to sign in to the IAM console
. Note For your convenience, the AWS sign-in page uses a browser cookie to remember your IAM user name and account information. If you previously signed in as a different user, choose Sign in to a different account near the bottom of the page to return to the main sign-in page. From there, you can type your AWS account ID or account alias to be redirected to the IAM user sign-in page for your account.
To get your AWS account ID, contact your administrator.
-
In the navigation bar on the upper right, choose your user name, and then choose My Security Credentials.
-
On the AWS IAM credentials tab, in the Multi-factor authentication section, choose Manage MFA device.
-
In the Manage MFA device wizard, choose Hardware MFA device and then choose Continue.
-
Type the device serial number. The serial number is usually on the back of the device.
-
In the MFA code 1 box, type the six-digit number displayed by the MFA device. You might need to press the button on the front of the device to display the number.
-
Wait 30 seconds while the device refreshes the code, and then type the next six-digit number into the MFA code 2 box. You might need to press the button on the front of the device again to display the second number.
-
Choose Assign MFA.
Important Submit your request immediately after generating the authentication codes. If you generate the codes and then wait too long to submit the request, the MFA device successfully associates with the user but the MFA device becomes out of sync. This happens because time-based one-time passwords (TOTP) expire after a short period of time. If this happens, you can resync the device.
The device is ready for use with AWS. For information about using MFA with the AWS Management Console, see Using MFA devices with your IAM sign-in page.
Enable a hardware MFA device for another IAM user (console)
You can enable a hardware MFA device for another IAM user from the AWS Management Console.
To enable a hardware MFA device for another IAM user (console)
Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/
. -
In the navigation pane, choose Users.
-
Choose the name of the user for whom you want to enable MFA, and then choose the Security credentials tab.
-
Next to Assigned MFA device, choose Manage.
-
In the Manage MFA device wizard, choose Hardware MFA device and then choose Continue.
-
Type the device serial number. The serial number is usually on the back of the device.
-
In the MFA code 1 box, type the six-digit number displayed by the MFA device. You might need to press the button on the front of the device to display the number.
-
Wait 30 seconds while the device refreshes the code, and then type the next six-digit number into the MFA code 2 box. You might need to press the button on the front of the device again to display the second number.
-
Choose Assign MFA.
Important Submit your request immediately after generating the authentication codes. If you generate the codes and then wait too long to submit the request, the MFA device successfully associates with the user but the MFA device becomes out of sync. This happens because time-based one-time passwords (TOTP) expire after a short period of time. If this happens, you can resync the device.
The device is ready for use with AWS. For information about using MFA with the AWS Management Console, see Using MFA devices with your IAM sign-in page.
Enable a hardware MFA device for the AWS account root user (console)
You can configure and enable a virtual MFA device for your root user from the AWS Management Console only, not from the AWS CLI or AWS API.
If your MFA device is lost, stolen, or not working, you can still sign in using
alternative factors of authentication. If you can't sign in with your MFA device, you can sign
in by verifying your identity using the email and phone that are registered with your account.
Before you enable MFA for your root user, review your account settings and contact information to
make sure that you have access to the email and phone number. To learn about signing in using
alternative factors of authentication, see What if an MFA device is lost or stops
working?. To disable this feature, contact AWS Support
You might see different text, such as Sign in using MFA
and Troubleshoot your authentication device. However, the
same features are provided. In either case, if you cannot verify your account email address
and phone number using alternative factors of authentication, contact AWS Support
To enable the MFA device for your root user (console)
-
Sign in to the IAM console
as the account owner by choosing Root user and entering your AWS account email address. On the next page, enter your password. Note If you see three text boxes, then you previously signed in to the console with IAM user credentials. Your browser might remember this preference and open this account-specific sign-in page every time that you try to sign in. You cannot use the IAM user sign-in page to sign in as the account owner. If you see the IAM user sign-in page, choose Sign in using root user email near the bottom of the page. This returns you to the main sign-in page. From there, you can sign in as the root user using your AWS account email address and password.
-
On the right side of the navigation bar, choose on your account name, and then choose My Security Credentials. If necessary, choose Continue to Security Credentials.
-
Expand the Multi-factor authentication (MFA) section.
-
Choose Manage MFA or Activate MFA, depending on which option you chose in the preceding step.
-
In the wizard, choose Hardware MFA device and then choose Continue.
-
In the Serial number box, type the serial number that is found on the back of the MFA device.
-
In the MFA code 1 box, type the six-digit number displayed by the MFA device. You might need to press the button on the front of the device to display the number.
-
Wait 30 seconds while the device refreshes the code, and then type the next six-digit number into the MFA code 2 box. You might need to press the button on the front of the device again to display the second number.
-
Choose Assign MFA. The MFA device is now associated with the AWS account.
Important Submit your request immediately after generating the authentication codes. If you generate the codes and then wait too long to submit the request, the MFA device successfully associates with the user but the MFA device becomes out of sync. This happens because time-based one-time passwords (TOTP) expire after a short period of time. If this happens, you can resync the device.
The next time you use your root user credentials to sign in, you must type a code from the MFA device.
Replace or "rotate" a physical MFA device
You can have only one MFA device assigned to a user at a time. If the user loses a device or needs to replace it for any reason, you must first deactivate the old device. Then you can add the new device for the user.
-
To deactivate the device currently associated with a user, see Deactivating MFA devices.
-
To add a replacement hardware MFA device for an IAM user, follow the steps in the procedure Enable a hardware MFA device for another IAM user (console) earlier in this topic.
-
To add a replacement virtual MFA device for the AWS account root user, follow the steps in the procedure Enable a hardware MFA device for the AWS account root user (console) earlier in this topic.
