Troubleshooting FIDO security keys - AWS Identity and Access Management

Troubleshooting FIDO security keys

Use the information here to help you diagnose common issues that you might encounter when working with FIDO2 security keys.

I can't enable my FIDO security key

Consult the following solutions depending on your status as an IAM user or system administrator

IAM users

If you can't enable your FIDO security key, check the following:

  • Are you using a supported configuration?

    For information on devices and browsers you can use with WebAuthn and AWS, see Supported configurations for using FIDO security keys.

  • Are you using Mozilla Firefox?

    Current Firefox versions support WebAuthn by default. To enable support for WebAuthn in Firefox, do the following:

    1. From the Firefox address bar, type about:config.

    2. In the Search bar of the screen that opens, type webauthn.

    3. Choose security.webauth.webauthn and change its value to true.

  • Are you using any browser plugins?

    AWS does not support the use of plugins to add WebAuthn browser support. Instead, use a browser that offers native support of the WebAuthn standard.

    Even if you're using a supported browser, you may have a plugin that is incompatible with WebAuthn. An incompatible plugin may prevent you from enabling and using your FIDO-compliant security key. You should disable any plugins that might be incompatible and restart your browser. Then retry enabling the FIDO security key.

  • Do you have the appropriate permissions?

    If you don't have any of the above compatibility issues, you may not have the appropriate permissions. Contact your system administrator.

System administrators

If you're an administrator and your IAM users can't enable their FIDO security keys despite using a supported configuration, make sure they have the appropriate permissions. For a detailed example, see IAM tutorial: Permit users to manage their credentials and MFA settings.

I can't sign in using my FIDO security key

If you're an IAM user and you can't sign in to the AWS Management Console using your FIDO security key, first see Supported configurations for using FIDO security keys. If you're using a supported configuration but cannot sign in, contact your system administrator for assistance.

I lost or broke my FIDO security key

Up to eight MFA devices of any combination of the currently supported MFA types can be assigned to a user. With multiple MFA devices, you only need one MFA device to sign in to the AWS Management Console. Replacing a FIDO security key is similar to replacing a hardware TOTP token. For information on what to do if you lose or break any type of MFA device, see What if an MFA device is lost or stops working?.

Other issues

If you have an issue with FIDO security keys that is not covered here, do one of the following:

  • IAM users: Contact your system administrator.

  • AWS account root users: Contact AWS Support.