AWS Identity and Access Management
User Guide

Enabling a U2F Security Key (Console)

Universal 2nd Factor (U2F) security keys are a type of MFA device that you can use to protect your AWS resources. You plug your U2F security key into a USB port on your computer and enable it using the instructions that follow. After you enable it, you tap it when prompted to securely complete the sign-in process. If you already use a U2F security key with other services, and it has an AWS supported configuration (for example, the Yubikey 4 or 5 from Yubico), you can also use it with AWS. Otherwise, you need to purchase a U2F security key if you want to use U2F for MFA in AWS. For specifications and purchase information, see Multi-Factor Authentication.

U2F is an open authentication standard hosted by the FIDO Alliance. When you enable a U2F key in AWS, the U2F security key creates a new key pair for use with only AWS. First, you enter your credentials. When prompted, you tap the U2F security key, which responds to the authentication challenge issued by AWS. To learn more about the U2F standard, see Universal 2nd Factor.

You can enable one MFA device (of any kind) per root user or IAM user.

Permissions Required

To manage a U2F security key for your own IAM user while protecting sensitive MFA-related actions, you must have the permissions from the following policy:

{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowManageOwnUserMFA", "Effect": "Allow", "Action": [ "iam:DeactivateMFADevice", "iam:EnableMFADevice", "iam:GetUser", "iam:ListMFADevices", "iam:ResyncMFADevice" ], "Resource": "arn:aws:iam::*:user/${aws:username}" }, { "Sid": "DenyAllExceptListedIfNoMFA", "Effect": "Deny", "NotAction": [ "iam:EnableMFADevice", "iam:GetUser", "iam:ListMFADevices", "iam:ResyncMFADevice" ], "Resource": "arn:aws:iam::*:user/${aws:username}", "Condition": { "BoolIfExists": { "aws:MultiFactorAuthPresent": "false" } } } ] }

Enable a U2F Security Key for Your Own IAM User (Console)

You can enable a U2F security key for your own IAM user from the AWS Management Console only, not from the AWS CLI or AWS API.

Note

Before you can enable a U2F security key, you must have physical access to the device.

To enable a U2F security key for your own IAM user (console)

  1. Use your AWS account ID or account alias, your IAM user name, and your password to sign in to the IAM console.

    Note

    For your convenience, the AWS sign-in page uses a browser cookie to remember your IAM user name and account information. If you previously signed in as a different user, choose Sign in to a different account near the bottom of the page to return to the main sign-in page. From there, you can type your AWS account ID or account alias to be redirected to the IAM user sign-in page for your account.

    To get your AWS account ID, contact your administrator.

  2. In the navigation bar on the upper right, choose your user name, and then choose My Security Credentials.

    
                  AWS Management Console My Security Credentials link
  3. On the AWS IAM credentials tab, in the Multi-factor authentication section, choose Manage MFA device.

  4. In the Manage MFA device wizard, choose U2F security key, and then choose Continue.

  5. Insert the U2F security key into your computer's USB port.

    
                  U2F Security Key
  6. Tap the U2F security key, and then choose Close when U2F setup is complete.

The U2F security key is ready for use with AWS. For information about using MFA with the AWS Management Console, see Using MFA Devices With Your IAM Sign-in Page.

Enable a U2F Security Key for Another IAM User (Console)

You can enable a U2F security key for another IAM user from the AWS Management Console only, not from the AWS CLI or AWS API.

To enable a U2F security key for another IAM user (console)

  1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.

  2. In the navigation pane, choose Users.

  3. Choose the name of the user for whom you want to enable MFA, and then choose the Security credentials tab.

  4. Next to Assigned MFA device, choose Manage.

  5. In the Manage MFA device wizard, choose U2F security key, and then choose Continue.

  6. Insert the U2F security key into your computer's USB port.

    
            U2F Security Key
  7. Tap the U2F security key, and then choose Close when U2F setup is complete.

The U2F security key is ready for use with AWS. For information about using MFA with the AWS Management Console, see Using MFA Devices With Your IAM Sign-in Page.

Enable a U2F Security Key for the AWS Account Root User (Console)

You can configure and enable a virtual MFA device for your root user from the AWS Management Console only, not from the AWS CLI or AWS API.

If your U2F security key is lost, stolen, or not working, you can still sign in using alternative factors of authentication. To learn about signing in using alternative factors of authentication, see What If an MFA Device Is Lost or Stops Working?. To disable this feature, contact AWS Support.

To enable the U2F key for your root user (console)

  1. Use your AWS account email address and password to sign in to the AWS Management Console as the AWS account root user.

    Note

    If you previously signed in to the console with IAM user credentials, your browser might remember this preference and open your account-specific sign-in page. You cannot use the IAM user sign-in page to sign in with your AWS account root user credentials. If you see the IAM user sign-in page, choose Sign-in using root user credentials near the bottom of the page to return to the main sign-in page. From there, you can type your AWS account email address and password.

  2. On the right side of the navigation bar, choose on your account name, and then choose My Security Credentials. If necessary, choose Continue to Security Credentials.

    
                  My Security Credentials in the navigation menu
  3. Expand the Multi-factor authentication (MFA) section.

  4. Choose Manage MFA or Activate MFA, depending on which option you chose in the preceding step.

  5. In the wizard, choose U2F security key and then choose Continue.

  6. Insert the U2F security key into your computer's USB port.

    
                  U2F Security Key
  7. Tap the U2F security key, and then choose Close when U2F setup is complete.

The U2F security key is ready for use with AWS. The next time you use your root user credentials to sign in, you must tap your U2F security key to complete the sign-in process.

Replace a U2F Security Key

You can have only one MFA device (virtual, U2F security key, or hardware) assigned to a user at a time. If the user loses a U2F key or needs to replace it for any reason, you must first deactivate the old U2F key. Then you can add a new MFA device for the user.

If you don't have access to a new U2F security key, you can enable a new virtual MFA device or hardware MFA device. See one of the following for instructions: