Using multi-factor authentication (MFA) in AWS - AWS Identity and Access Management
Available MFA types

Using multi-factor authentication (MFA) in AWS

For increased security, we recommend that you configure multi-factor authentication (MFA) to help protect your AWS resources. You can enable MFA for the AWS account root user and IAM users. When you enable MFA for the root user, it affects only the root user credentials. IAM users in the account are distinct identities with their own credentials, and each identity has its own MFA configuration.

You can register up to eight MFA devices of any combination of the currently supported MFA types with your AWS account root user and IAM users. For more information about supported MFA types see Available MFA types for IAM users. With multiple MFA devices, only one MFA device is needed to sign in to the AWS Management Console or create a session through the AWS CLI as that user.

Note

We recommend that you require your human users to use temporary credentials when accessing AWS. Have you considered using AWS IAM Identity Center? You can use IAM Identity Center to centrally manage access to multiple AWS accounts and provide users with MFA-protected, single sign-on access to all their assigned accounts from one place. With IAM Identity Center, you can create and manage user identities in IAM Identity Center or easily connect to your existing SAML 2.0 compatible identity provider. For more information, see What is IAM Identity Center? in the AWS IAM Identity Center User Guide.

Available MFA types for IAM users

MFA adds extra security because it requires users to provide unique authentication from an AWS supported MFA mechanism in addition to their regular sign-in credentials when they access AWS websites or services. AWS supports the following MFA types: passkeys and security keys, virtual authenticator applications, and hardware TOTP tokens.

Passkeys and security keys

AWS Identity and Access Management supports passkeys and security keys for MFA. Based on FIDO standards, passkeys use public key cryptography to provide strong, phishing-resistant authentication that is more secure than passwords. AWS supports two types of passkeys: device-bound passkeys (security keys) and synced passkeys.

  • Security keys: These are physical devices, like a YubiKey, used as a second factor for authentication. A single security key can support multiple root user accounts and IAM users.

  • Synced passkeys: These use credential managers from providers such as Google, Apple, Microsoft accounts, and third-party services like 1Password, Dashlane, and Bitwarden as a second factor.

You can use built-in biometric authenticators, like Touch ID on Apple MacBooks, to unlock your credential manager and sign in to AWS. Passkeys are created with your chosen provider using your fingerprint, face, or device PIN. You can sync passkeys across your devices to facilitate sign-ins with AWS, enhancing usability and recoverability.

IAM does not support local passkey registration for Windows Hello. To create and use passkeys, Windows users should use cross-device authentication where you use a passkey from one device like a mobile device or hardware security key to sign in on another device like a laptop.

The FIDO Alliance maintains a list of all FIDO Certified products that are compatible with FIDO specifications. For more information about enabling passkeys and security keys, see Enable a passkey or security key for the AWS account root user (console).

Virtual authenticator applications

A virtual authenticator application runs on a phone or other device and emulates a physical device. Virtual authenticator apps implement the time-based one-time password (TOTP) algorithm and support multiple tokens on a single device. The user must type a valid code from the device when prompted during sign-in. Each token assigned to a user must be unique. A user can't type a code from another user's token to authenticate.

We do recommend that you use a virtual MFA device while waiting for hardware purchase approval or while you wait for your hardware to arrive. For a list of a few supported apps that you can use as virtual MFA devices, see Multi-Factor Authentication (MFA). For instructions on setting up a virtual MFA device for an IAM user, see Enabling a virtual multi-factor authentication (MFA) device (console).

Hardware TOTP tokens

A hardware device generates a six-digit numeric code based on the time-based one-time password (TOTP) algorithm. The user must type a valid code from the device on a second webpage during sign-in. Each MFA device assigned to a user must be unique. A user cannot type a code from another user's device to be authenticated. For information on supported hardware MFA devices, see Multi-Factor Authentication (MFA). For instructions on setting up a hardware TOTP token for an IAM user, see Enabling a hardware TOTP token (console).

If you want to use a physical MFA device, we recommend that you use security keys as an alternative to hardware TOTP devices. Security keys offer the benefits of no battery requirements, phishing resistance, and they support multiple root and IAM users on a single device for enhanced security.

Note

SMS text message-based MFA – AWS ended support for enabling SMS multi-factor authentication (MFA). We recommend that customers who have IAM users that use SMS text message-based MFA switch to one of the following alternative methods: Passkey or security key, virtual (software-based) MFA device, or hardware MFA device. You can identify the users in your account with an assigned SMS MFA device. To do so, go to the IAM console, choose Users from the navigation pane, and look for users with SMS in the MFA column of the table.

Topics