What if an MFA device is lost or stops working? - AWS Identity and Access Management

What if an MFA device is lost or stops working?

If your virtual MFA device or hardware MFA device appears to be functioning properly, but you cannot use it to access your AWS resources, it might be out of synchronization with AWS. For information about synchronizing a virtual MFA device or hardware MFA device, see Resynchronizing virtual and hardware MFA devices. FIDO security keys do not go out of sync.

If your AWS account root user multi-factor authentication (MFA) device is lost, damaged, or not working, you can recover access to your account. IAM users must contact an administrator to deactivate the device.

Recovering a root user MFA device

If your AWS account root user multi-factor authentication (MFA) device is lost, damaged, or not working, you can sign in using alternative methods of authentication. This means that if you can't sign in with your MFA device, you can sign in by verifying your identity using the email and the primary contact phone number registered with your account.

Before you use alternative factors of authentication to sign in as a root user, you must be able to access the email and primary contact phone number that you associate with your account. If you can’t access this email or phone number, you must contact AWS Support.

To sign in using alternative factors of authentication as an AWS account root user

  1. Sign in to the AWS Management Console as the account owner by choosing Root user and entering your AWS account email address. On the next page, enter your password.

  2. On the Amazon Web Services Sign In With Authentication Device page, choose Having problems with your authentication device? Click here.

    Note

    You might see alternative text, such as Sign in using MFA, Troubleshoot your authentication device, or Troubleshoot MFA, but the functionality is the same. If you can't use alternative factors of authentication to verify your account email address and primary contact phone number, contact AWS Support to deactivate your MFA device.

  3. If required, type your password again and choose Sign in.

  4. In the Sign In Using Alternative Factors of Authentication section, choose Sign in using alternative factors.

  5. To authenticate your account by verifying the email address, choose Send verification email.

  6. Check the email that is associated with your AWS account for a message from Amazon Web Services (no-reply-aws@amazon.com). Follow the directions in the email.

    If you don't see the email in your account, check your spam folder, or return to your browser and choose Resend the email.

  7. After you verify your email address, you can continue authenticating your account. To verify your primary contact phone number, choose Call me now.

  8. Answer the call from AWS and, when prompted, enter the 6-digit number from the AWS website on your phone keypad.

    If you don't receive a call from AWS, choose Sign in to sign in to the console again and start over. Or see Lost or unusable Multi-Factor Authentication (MFA) device to contact support for help.

  9. After you verify your phone number, you can sign in to your account by choosing Sign in to the console.

  10. The next step varies depending on the type of MFA you are using:

    • For a virtual MFA device, remove the account from your device. Then go to the AWS Security Credentials page and delete the old MFA virtual device entity before you create a new one.

    • For a FIDO security key, go to the AWS Security Credentials page and deactivate the old FIDO security key before enabling a new one.

    • For a hardware MFA device, contact the third-party provider for help fixing or replacing the device. You can continue to sign in using alternative factors of authentication until you receive your new device. After you have the new hardware MFA device, go to the AWS Security Credentials page and delete the old MFA hardware device entity before you create a new one.

    Note

    You don't have to replace a lost or stolen MFA device with the same type of device. For example, if you break your FIDO security key and order a new one, you can use virtual MFA or a hardware MFA device until you receive a new FIDO security key.

  11. If your MFA device is missing or stolen, also change your AWS password in case an attacker has stolen the authentication device and might also have your current password.

Recovering an IAM user MFA device

If you are an IAM user and your device is lost or stops working, you can't recover it by yourself. You must contact an administrator to deactivate the device. Then you can enable a new device.

To get help for an MFA device as an IAM user

  1. Contact the AWS administrator or other person who gave you the user name and password for the IAM user. The administrator must deactivate the MFA device as described in Deactivating MFA devices so that you can sign in.

  2. The next step varies depending on the type of MFA you are using:

    Note

    You don't have to replace a lost or stolen MFA device with the same type of device. For example, if you break your FIDO security key and order a new one, you can use virtual MFA or a hardware MFA device until you receive a new FIDO security key.

  3. If your MFA device is missing or stolen, also change your password in case an attacker has stolen the authentication device and might also have your current password.