Resynchronizing virtual and hardware MFA devices - AWS Identity and Access Management

Resynchronizing virtual and hardware MFA devices

You can use AWS to resynchronize your virtual and hardware multi-factor authentication (MFA) devices. If your device is not synchronized when you try to use it, the sign-in attempt fails and IAM prompts you to resynchronize the device.

Note

FIDO security keys do not go out of sync. If a FIDO security key is lost or broken, you can deactivate it. For instructions on deactivating any MFA device type, see To deactivate an MFA device for another IAM user (console).

As an AWS administrator, you can resynchronize your IAM users' virtual and hardware MFA devices if they get out of synchronization.

If your AWS account root user MFA device is not working, you can resynchronize your device using the IAM console with or without completing the sign-in process. If you aren’t able to successfully resynchronize your device, you may need to de-associate and re-associate it. For more information on how to do this, see Deactivating MFA devices and Enabling MFA devices for users in AWS.

Permissions required

To resynchronize virtual or hardware MFA devices for your own IAM user, you must have the permissions from the following policy. This policy does not allow you to create or deactivate a device.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowListActions", "Effect": "Allow", "Action": [ "iam:ListVirtualMFADevices" ], "Resource": "*" }, { "Sid": "AllowUserToViewAndManageTheirOwnUserMFA", "Effect": "Allow", "Action": [ "iam:ListMFADevices", "iam:ResyncMFADevice" ], "Resource": "arn:aws:iam::*:user/${aws:username}" }, { "Sid": "BlockAllExceptListedIfNoMFA", "Effect": "Deny", "NotAction": [ "iam:ListMFADevices", "iam:ListVirtualMFADevices", "iam:ResyncMFADevice" ], "Resource": "*", "Condition": { "BoolIfExists": { "aws:MultiFactorAuthPresent": "false" } } } ] }

Resynchronizing virtual and hardware MFA devices (IAM console)

You can use the IAM console to resynchronize virtual and hardware MFA devices.

To resynchronize a virtual or hardware MFA device for your own IAM user (console)
  1. Use your AWS account ID or account alias, your IAM user name, and your password to sign in to the IAM console.

    Note

    For your convenience, the AWS sign-in page uses a browser cookie to remember your IAM user name and account information. If you previously signed in as a different user, choose Sign in to a different account near the bottom of the page to return to the main sign-in page. From there, you can type your AWS account ID or account alias to be redirected to the IAM user sign-in page for your account.

    To get your AWS account ID, contact your administrator.

  2. In the navigation bar on the upper right, choose your user name, and then choose Security credentials.

    
            AWS Management Console Security credentials link
  3. On the AWS IAM credentials tab, in the Multi-factor authentication (MFA) section, choose the radio button next to the MFA device and choose Resync.

  4. Type the next two sequentially generated codes from the device into MFA code 1 and MFA code 2. Then choose Resync.

    Important

    Submit your request immediately after generating the codes. If you generate the codes and then wait too long to submit the request, the request appears to work but the device remains out of sync. This happens because time-based one-time passwords (TOTP) expire after a short period of time.

To resynchronize a virtual or hardware MFA device for another IAM user (console)
  1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.

  2. In the navigation pane, choose Users, and then choose the name of the user whose MFA device needs to be resynchronized.

  3. Choose the Security credentials tab. In the Multi-factor authentication (MFA) section, choose the radio button next to the MFA device and choose Resync.

  4. Type the next two sequentially generated codes from the device into MFA code 1 and MFA code 2. Then choose Resync.

    Important

    Submit your request immediately after generating the codes. If you generate the codes and then wait too long to submit the request, the request appears to work but the device remains out of sync. This happens because time-based one-time passwords (TOTP) expire after a short period of time.

To resynchronize your root user MFA before signing in (console)
  1. On the Amazon Web Services Sign In With Authentication Device page, choose Having problems with your authentication device? Click here.

    Note

    You might see different text, such as Sign in using MFA and Troubleshoot your authentication device. However, the same features are provided.

  2. In the Re-Sync With Our Servers section, type the next two sequentially generated codes from the device into MFA code 1 and MFA code 2. Then choose Re-sync authentication device.

  3. If necessary, type your password again and choose Sign in. Then complete the sign-in using your MFA device.

To resynchronize your root user MFA device after signing in (console)
  1. Sign in to the IAM console as the account owner by choosing Root user and entering your AWS account email address. On the next page, enter your password.

    Note

    As the root user, you can't sign in to the Sign in as IAM user page. If you see the Sign in as IAM user page, choose Sign in using root user email near the bottom of the page. For help signing in as the root user, see Signing in to the AWS Management Console as the root user in the AWS Sign-In User Guide.

  2. On the right side of the navigation bar, choose on your account name, and then choose Security credentials. If necessary, choose Continue to Security credentials.

    
            Security credentials in the navigation menu
  3. Expand the Multi-factor authentication (MFA) section on the page.

  4. Choose the radio button next to the device and choose Resync.

  5. In the Resync MFA device dialog box, type the next two sequentially generated codes from the device into MFA code 1 and MFA code 2. Then choose Resync.

    Important

    Submit your request immediately after generating the codes. If you generate the codes and then wait too long to submit the request, the MFA device is successfully associated with the user, but the MFA device is out of sync. This happens because time-based one-time passwords (TOTP) expire after a short period of time.

Resynchronizing virtual and hardware MFA devices (AWS CLI)

You can resynchronize virtual and hardware MFA devices from the AWS CLI.

To resynchronize a virtual or hardware MFA device for an IAM user (AWS CLI)

At a command prompt, issue the aws iam resync-mfa-device command:

  • Virtual MFA device: Specify Amazon Resource Name (ARN) of device as the serial number.

    aws iam resync-mfa-device --user-name Richard --serial-number arn:aws:iam::123456789012:mfa/RichardsMFA --authentication-code1 123456 --authentication-code2 987654
  • Hardware MFA device: Specify hardware device's serial number as serial number. The format is vendor-specific. For example, you can purchase a gemalto token from Amazon. Its serial number is typically four letters followed by four numbers.

    aws iam resync-mfa-device --user-name Richard --serial-number ABCD12345678 --authentication-code1 123456 --authentication-code2 987654
Important

Submit your request immediately after generating the codes. If you generate the codes and then wait too long to submit the request, the request fails because the codes expire after a short time.

Resynchronizing virtual and hardware MFA devices (AWS API)

IAM has an API call that performs synchronization. In this case, we recommend that you give your virtual and hardware MFA device users permission to access this API call. Then build a tool based on that API call so your users can resynchronize their devices whenever they need to.

To resynchronize a virtual or hardware MFA device for an IAM user (AWS API)