How to Register an MFA Device - AWS Single Sign-On

How to Register an MFA Device

Use the following procedure to set up a new MFA device for access by a specific user in the AWS SSO console. You must have physical access to the user's MFA device in order to register it. For example, you might configure MFA for a user who will use an MFA device running on a smartphone. In that case, you must have the smartphone available in order to finish the wizard. Because of this, you might want to let users configure and manage their own MFA devices. For details on how to set this up, see How to Allow Users to Register Their Own MFA Devices.

To register an MFA device

  1. Open the AWS SSO console.

  2. In the left navigation pane, choose Directory.

  3. On the Users tab, choose a user in the list.

  4. On the user’s Details page, under Multi-factor authentication (MFA) devices, choose Register MFA device.

  5. On the Device name page, type a friendly name for the new MFA device, and then choose Next. If you have enabled the option to allow users to manage their own devices, this user will see this friendly name in the user portal.

  6. On the Device configuration page, AWS SSO displays configuration information for the new MFA device, including a QR code graphic. The graphic is a representation of the secret key that is available for manual entry on devices that do not support QR codes.

  7. Using the physical MFA device, do the following:

    1. Open a compatible MFA authenticator app. (For a list of apps that you can use for hosting MFA devices, see Multi-Factor Authentication.) If the MFA app supports multiple accounts (multiple MFA devices), choose the option to create a new account (a new MFA device).

    2. Determine whether the MFA app supports QR codes, and then do one of the following on the Device configuration page:

      1. Choose Show QR code, and then use the app to scan the QR code. For example, you might choose the camera icon or choose an option similar to Scan code. Then use the device's camera to scan the code.

      2. Choose show secret key, and then type that secret key into your MFA app.

        Important

        When you configure an MFA device for AWS SSO, we recommend that you save a copy of the QR code or secret key in a secure place. This can help if the assigned user loses the phone or has to reinstall the MFA authenticator app. If either of those things happen, you can quickly reconfigure the app to use the same MFA configuration. This avoids the need to create a new MFA device in AWS SSO for the user.

  8. On the Device configuration page, under Type the MFA code generated by the app, type the one-time password that currently appears on the physical MFA device.

    Important

    Submit your request immediately after generating the code. If you generate the code and then wait too long to submit the request, the MFA device is successfully associated with the user. But the MFA device is out of sync. This happens because time-based one-time passwords (TOTP) expire after a short period of time. If this happens, you can resync the device.

  9. Choose Register MFA device. The MFA device can now start generating one-time passwords and is now ready for use with AWS.