Troubleshoot Passkeys and FIDO Security Keys - AWS Identity and Access Management
I can't enable my FIDO security keyI can't sign in using my FIDO security keyI lost or broke my FIDO security keyOther issues

Troubleshoot Passkeys and FIDO Security Keys

Use the information here to help you diagnose common issues that you might encounter when working with FIDO2 security keys.

I can't enable my FIDO security key

Consult the following solutions depending on your status as an IAM user or system administrator

IAM users

If you can't enable your FIDO security key, check the following:

  • Are you using a supported configuration?

    IAM supports FIDO2 security devices that connect to your devices through USB, Bluetooth, or NFC. IAM also supports platform authenticators such as TouchID or FaceID. IAM does not support local passkey registration for Windows Hello. To create and use passkeys, Windows users should use cross-device authentication where you use a passkey from one device like a mobile device or hardware security key to sign in on another device like a laptop.

    For information on devices and browsers you can use with WebAuthn and AWS, see Supported configurations for using passkeys and security keys.

  • Are you using Mozilla Firefox?

    • Most Firefox versions that currently support FIDO2 don't enable support by default. For instructions on enabling FIDO2 support in Firefox, see Troubleshoot Passkeys and FIDO Security Keys.

    • Firefox on macOS may not fully support cross-device authentication workflows for passkeys. You may get a prompt to touch a security key instead of proceeding with cross-device authentication. We recommend using a different browser, such as Chrome or Safari, for signing in with passkeys on macOS.

    • Current Firefox versions support WebAuthn by default. To enable support for WebAuthn in Firefox, do the following:

      1. From the Firefox address bar, type about:config.

      2. In the Search bar of the screen that opens, type webauthn.

      3. Choose security.webauth.webauthn and change its value to true.

  • Are you using any browser plugins?

    AWS does not support the use of plugins to add WebAuthn browser support. Instead, use a browser that offers native support of the WebAuthn standard.

    Even if you're using a supported browser, you may have a plugin that is incompatible with WebAuthn. An incompatible plugin may prevent you from enabling and using your FIDO-compliant security key. Disable any plugins that might be incompatible and restart your browser. Then, retry enabling the FIDO security key.

  • Do you have the appropriate permissions?

    If you don't have any of the above compatibility issues, you may not have the appropriate permissions. Contact your system administrator.

System administrators

If your IAM users can't enable their FIDO security keys despite using a supported configuration, check their permissions. For a detailed example, see IAM tutorial: Permit users to manage their credentials and MFA settings.

I can't sign in using my FIDO security key

If you can't sign in to the AWS Management Console using your FIDO security key, first see Supported configurations for using passkeys and security keys. If you're using a supported configuration but cannot sign in, contact your system administrator for assistance.

I lost or broke my FIDO security key

Up to eight MFA devices of any combination of the currently supported MFA types can be assigned to a user. With multiple MFA devices, you only need one MFA device to sign in to the AWS Management Console. Replacing a FIDO security key is similar to replacing a hardware TOTP token. If you lose or break any type of MFA device, see Recover an MFA protected identity in IAM.

Other issues

If you have an issue with FIDO security keys that is not covered here, do one of the following:

  • IAM users: Contact your system administrator.

  • AWS account root users: Contact AWS Support.