Recover an MFA protected identity in IAM
If your virtual MFA device or hardware TOTP token appears to be functioning properly, but you can't use it to access your AWS resources, it might be out of synchronization with AWS. For information about synchronizing a virtual MFA device or hardware MFA device, see Resynchronize virtual and hardware MFA devices. FIDO security keys do not go out of sync.
If the MFA device for a AWS account root user is lost, damaged, or not working, you can recover access to your account. IAM users must contact an administrator to deactivate the device.
Important
We recommend that you activate multiple MFA devices. Registering multiple MFA devices helps ensure continued access if a device is lost or broken. Your AWS account root user and IAM users can register up to eight MFA devices of any type.
Prerequisite – Use another MFA device
If your multi-factor authentication (MFA) device is lost, damaged, or not working, you can sign in using another MFA device registered to the same root user or IAM user.
To sign in using another MFA device
-
Sign in to the AWS Management Console with your AWS account ID or account alias and password.
-
On the Additional verification required page or Multi-factor authentication page, choose Try another MFA method.
-
Authenticate with the type of MFA device that you selected.
-
The next step varies based on whether you successfully signed in with an alternate MFA device.
-
If you have successfully signed in, you can Resynchronize virtual and hardware MFA devices, which may resolve the issue. If your MFA device is lost or broken, you can deactivate it. For instructions on deactivating any MFA device type, see Deactivate an MFA device.
-
If you can't sign in with MFA, use the steps in Recovering a root user MFA device or Recovering an IAM user MFA device to recover your MFA protected identity.
-
Recovering a root user MFA device
If you can't sign in with MFA, you can use alternative methods of authentication to sign in by verifying your identity using the email and the primary contact phone number registered with your account.
Confirm you are able to access the email and primary contact phone number associated with
your account before you use alternative authentication factors to sign in as a root user. If you
need to update the primary contact phone number, sign in as an IAM user with Administrator access instead of the root user. For additional
instructions on updating the account contact information, see Editing contact
information in the AWS Billing User Guide. If you do not have access
to an email and primary contact phone number, you must contact AWS Support
Important
We recommend that you keep the email address and contact phone number linked to your root user up to date for a successful account recovery. For more information, see Update the primary contact for your AWS account in the AWS Account Management Reference Guide.
To sign in using alternative factors of authentication as an AWS account root user
-
Sign in to the AWS Management Console
as the account owner by choosing Root user and entering your AWS account email address. On the next page, enter your password. -
On the Additional verification required page, select an MFA method to authenticate with and choose Next.
Note
You might see alternative text, such as Sign in using MFA, Troubleshoot your authentication device, or Troubleshoot MFA, but the functionality is the same. If you can't use alternative authentication factors to verify your account email address and primary contact phone number, contact AWS Support
to deactivate your MFA device. -
Depending on the type of MFA you are using, you will see a different page, but the Troubleshoot MFA option functions the same. On the Additional verification required page or Multi-factor authentication page, choose Troubleshoot MFA.
-
If required, type your password again and choose Sign in.
-
On the Troubleshoot your authentication device page, in the Sign in using alternative factors of authentication section, choose Sign in using alternative factors.
-
On the Sign in using alternative factors of authentication page, authenticate your account by verifying the email address, choose Send verification email.
-
Check the email that is associated with your AWS account for a message from Amazon Web Services (recover-mfa-no-reply@verify.signin.aws). Follow the directions in the email.
If you don't see the email in your account, check your spam folder, or return to your browser and choose Resend the email.
-
After you verify your email address, you can continue authenticating your account. To verify your primary contact phone number, choose Call me now.
-
Answer the call from AWS and, when prompted, enter the 6-digit number from the AWS website on your phone keypad.
If you don't receive a call from AWS, choose Sign in to sign in to the console again and start over. Or see Lost or unusable Multi-Factor Authentication (MFA) device
to contact support for help. -
After you verify your phone number, you can sign in to your account by choosing Sign in to the console.
-
The next step varies depending on the type of MFA you are using:
-
For a virtual MFA device, remove the account from your device. Then go to the AWS Security Credentials
page and delete the old MFA virtual device entity before you create a new one. -
For a FIDO security key, go to the AWS Security Credentials
page and deactivate the old FIDO security key before enabling a new one. -
For a hardware TOTP token, contact the third-party provider for help with fixing or replacing the device. You can continue to sign in using alternative factors of authentication until you receive your new device. After you have the new hardware MFA device, go to the AWS Security Credentials
page and delete the old MFA device.
Note
You don't have to replace a lost or stolen MFA device with the same type of device. For example, if you break your FIDO security key and order a new one, you can use virtual MFA or a hardware TOTP token until the new FIDO key arrives.
-
Important
If your MFA device is missing or stolen, change your root user password after signing in and establishing your replacement MFA device. An attacker may have stolen the authentication device and might also have your current password. For more information, see Change the password for the AWS account root user.
Recovering an IAM user MFA device
If you are an IAM user that can't sign in with MFA, you can't recover an MFA device by yourself. You must contact an administrator to deactivate the device. Then you can enable a new device.
To get help for an MFA device as an IAM user
-
Contact the AWS administrator or other person who gave you the user name and password for the IAM user. The administrator must deactivate the MFA device as described in Deactivate an MFA device so that you can sign in.
-
The next step varies depending on the type of MFA you are using:
-
For a virtual MFA device, remove the account from your device. Then enable the virtual device as described in Assign a virtual MFA device in the AWS Management Console.
-
For a FIDO security key, contact the third-party provider for help with replacing the device. When you receive the new FIDO security key, enable it as described in Assign a passkey or security key in the AWS Management Console.
-
For a hardware TOTP token, contact the third-party provider for help with fixing or replacing the device. After you have the new physical MFA device, enable the device as described in Assign a hardware TOTP token in the AWS Management Console.
Note
You don't have to replace a lost or stolen MFA device with the same type of device. You can have up to eight MFA devices of any combination. For example, if you break your FIDO security key and order a new one, you can use virtual MFA or a hardware TOTP token until the new FIDO key arrives.
-
-
If your MFA device is missing or stolen, also change your password in case an attacker has stolen the authentication device and might also have your current password. For more information, see Manage passwords for IAM users