AWS Identity and Access Management
User Guide

What If an MFA Device Is Lost or Stops Working?

If your AWS account root user multi-factor authentication (MFA) device is lost, damaged, or not working, you can sign in using alternative methods of authentication. This means that if you can't sign in with your MFA device, you can sign in by verifying your identity using the email and phone that are registered with your account.

If your virtual MFA device or hardware MFA device appears to be functioning properly, but you cannot use it to access your AWS resources, it might be out of synchronization with AWS. For information about synchronizing a virtual MFA device or hardware MFA device, see Resynchronizing Virtual and Hardware MFA Devices. U2F security keys do not go out of sync.

If the MFA device associated with an IAM user is lost or stops working, the user can't recover it. IAM users must contact an administrator to deactivate the device.

Before you sign in as a root user using alternative factors of authentication, make sure that you have access to the email and phone number that are associated with your account.

To sign in using alternative factors of authentication as an AWS account root user

  1. Use your AWS account email address and password to sign in to the AWS Management Console as the AWS account root user.

  2. On the Amazon Web Services Sign In Using MFA page, choose Having problems with your authentication device? Click here.

    Note

    If you are using an AWS account created after September 14, 2017, you might see the following console text: Sign in with authentication device, Troubleshoot your authentication device. However, the same features are provided. In either case, if you cannot verify your account email address and phone number using alternative factors of authentication, contact AWS Support to deactivate your MFA setting.

  3. If required, type your password again and choose Sign in.

  4. In the Sign In Using Alternative Factors of Authentication section, choose Sign in using alternative factors.

  5. To authenticate your account by verifying the email address, choose Send verification email.

  6. Check the email that is associated with your AWS account for a message from Amazon Web Services (no-reply-aws@amazon.com). Follow the directions in the email.

    If you don't see the email in your account, check your spam folder, or return to your browser and choose Resend the email.

  7. After you verify your email address, you can continue authenticating your account. To verify your phone number, choose Call me now.

  8. Answer the call from AWS and, when prompted, enter the 6-digit number from the AWS website on your phone keypad.

    If you don't receive a call from AWS, choose Sign in to sign in to the console again and start over. Or choose AWS Support to contact support for help.

  9. After you verify your phone number, you can sign in to your account by choosing Sign in to the console.

  10. The next step varies depending on the type of MFA you are using:

    • For a virtual MFA device, remove the account from your device. Then go to the AWS Security Credentials page and delete the old MFA virtual device entity before you create a new one.

    • For a U2F security key, go to the AWS Security Credentials page and deactivate the old U2F key before enabling a new one.

    • For a hardware MFA device, contact the third-party provider for help fixing or replacing the device. You can continue to sign in using alternative factors of authentication until you receive your new device. After you have the new hardware MFA device, go to the AWS Security Credentials page and delete the old MFA hardware device entity before you create a new one.

    Note

    You don't have to replace a lost or stolen MFA device with the same type of device. For example, if you break your U2F security key and order a new one, you can use virtual MFA or a hardware MFA device until you receive a new U2F security key.

  11. If your MFA device is missing or stolen, also change your AWS password in case an attacker has stolen the authentication device and might also have your current password.

To get help for an MFA device as an IAM user

  1. Contact the AWS administrator or other person who gave you the user name and password for the IAM user. The administrator must deactivate the MFA device as described in Deactivating MFA Devices so that you can sign in.

  2. The next step varies depending on the type of MFA you are using:

    Note

    You don't have to replace a lost or stolen MFA device with the same type of device. For example, if you break your U2F security key and order a new one, you can use virtual MFA or a hardware MFA device until you receive a new U2F security key.

  3. If your MFA device is missing or stolen, also change your password in case an attacker has stolen the authentication device and might also have your current password.