Multi-factor authentication for Identity Center users - AWS IAM Identity Center

Multi-factor authentication for Identity Center users

Multi-factor authentication (MFA) provides a simple and secure way to add an extra layer of protection on top of the default authentication mechanism of user name and password.

When administrators enable MFA, users must sign in to the AWS access portal with two factors:

  • Their user name and password. This is the first factor and is something users know.

  • Either a code, security key, or biometrics. This is the second factor and is something users have (possession) or are (biometric). The second factor might be either an authentication code generated from their mobile device, a security key connected to their computer, or user’s biometric scan.

Together, these multiple factors provide increased security by preventing unauthorized access to your AWS resources unless a valid MFA challenge has been successfully completed.

Each user can register up to two virtual authenticator apps, which are one-time password authenticator applications installed on your mobile device or tablet, and six FIDO authenticators, which include built-in authenticators and security keys, for a total of eight MFA devices. Learn more about Available MFA types for IAM Identity Center.


As a security best practice, we strongly recommend that you enable MFA.