Enabling Multi-Factor Authentication (MFA) for users

For increased security, we recommend that you configure multi-factor authentication (MFA) to help protect your AWS GovCloud (US) resources. MFA adds extra security because it requires users to enter a unique authentication code from an approved authentication device when they access AWS websites or services.

AWS GovCloud (US) allows you to assign a hardware-based token device, a virtual MFA device, or a FIDO security key with FIPS-validated options to an IAM user or to your GovCloud administrator. A virtual or hardware token-based device generates a six-digit numeric code based on a time-synchronized, one-time password algorithm. The user must enter a valid code from the device on a second web page during sign-in.

FIDO2 is an open authentication standard and an extension of FIDO U2F, based on public key cryptography, which enables strong, phishing-resistant authentication. To learn more about the FIDO2 standard, see FIDO Alliance. Based on your security and compliance needs, you can use both FIPS and non-FIPS FIDO security keys. You can also specify what kinds of authenticators your users can register in your IAM policies based on your preferred certification type and level. For more information about FIDO certifications, see Device certifications.

The following high-level procedure describes how to set up and use MFA in AWS GovCloud (US) and provides links to related information.

MFA devices are supported for IAM users. There is no root user in AWS GovCloud (US). For more information, see AWS Management Console documentation.
Get an MFA device. You can enable only one MFA device per user. The device can be used by the specified user only.
- A hardware-based token device, supported by AWS, such as OTP token. This device has its unique token seeds shared securely with AWS. Token seeds are secret keys generated at the time of token production. Tokens purchased from other sources will not function with IAM.
- A virtual token device, which is a software application that is compliant with RFC 6238, a standards-based, time-based one-time password (TOTP) algorithm. You can install the application on a mobile device, such as a tablet or smartphone. For a list of apps you can use as virtual MFA devices, see the "Virtual MFA Applications" section of the Multi-Factor Authentication page.
- A FIDO2 security key creates a new key pair for use with only AWS. FIDO-certified hardware security keys are provided by third-party providers such as Yubico, which include FIPS-validated options like YubiKey FIPS devices. For a full list, see FIDO devices supported by AWS. To use a FIDO2 security key, your browser must support FIDO2. For a list, see Browsers that support FIDO2.
Enable the MFA device. There are two steps to enabling a device. First, you create an MFA device entity in IAM. Second, you associate the MFA device entity with the IAM user. You can perform these tasks in the AWS Management Console, AWS CLI, AWS Tools for Windows PowerShell, or the IAM API.

For information about enabling MFA devices, see the following topics:
- Hardware TOTP token: Enabling a hardware TOTP token (console)
- Virtual MFA device: Enabling a Virtual Multi-Factor Authentication (MFA) Device
- FIDO security key: Enabling a FIDO security key (console)
Use the MFA device when you sign in to or access AWS resources.

For more information, see Using MFA Devices with Your IAM Sign-in Page and Enabling a Virtual Multi-Factor Authentication (MFA) Device.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Configure Your Account using AWS CLI

Signing Up for AWS Support