Considerations before enabling MFA in IAM Identity Center

Before you enable MFA, consider the following:

Users are encouraged to register multiple backup authenticators for all enabled MFA types. This practice can prevent loss of access in case of a broken or misplaced MFA device.
Don't choose the Require Them to Provide a One-Time Password Sent by Email option if your users must sign in to the AWS access portal to access their email. For example, your users might use Microsoft 365 in the AWS access portal to read their email. In this case, users won't be able to retrieve the verification code and would be unable to sign in to the AWS access portal. For more information, see Configure MFA device enforcement.
If you're already using RADIUS MFA that you configured with AWS Directory Service, you don't need to enable MFA within IAM Identity Center. MFA in IAM Identity Center is an alternative to RADIUS MFA for Microsoft Active Directory users of IAM Identity Center. For more information, see RADIUS MFA.
You can use MFA capabilities in IAM Identity Center when your identity source is configured with IAM Identity Center’s identity store, AWS Managed Microsoft AD, or AD Connector. MFA in IAM Identity Center is currently not supported for external identity providers.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Configure MFA

Enable MFA