AWS Multi-Factor Authentication (MFA) is a simple best practice that adds an extra layer of protection on top of your username and password. With MFA enabled, when a user signs in to an AWS website, they will be prompted for their username and password (the first factor – what they know), as well as for an authentication code from their AWS MFA device (the second factor – what they have). Taken together, these multiple factors provide increased security for your AWS account settings and resources.

You can enable MFA for your AWS account and for individual IAM users you have created under your account. MFA can be also be used to control access to AWS service APIs.

Once you've obtained a supported hardware or virtual MFA device, AWS does not charge any additional fees for using MFA.

You can also protect cross-account access using MFA.

MWJtuthUs0w-Video-Thumb
3:15
Getting Started with AWS MFA
  Virtual MFA Device Hardware MFA Device

Device

See table below.
Purchase device
Physical Form Factor Use your existing smartphone, tablet, or computer running any application that supports the open TOTP standard. Tamper-evident hardware keyfob device provided by Gemalto, a 3rd-party provider.
Price Free $12.99
Security Better Best
Features Support for multiple tokens on a single device. The same type of device used by many financial services and enterprise IT organizations.

Applications for your smartphone can be installed only from the application store that is specific for your phone type. In the list below are names of some applications for different smartphone types. Additional TOTP applications that may work for your smartphone can be found here, as long as they support 6-digit codes.

For more information about AWS multi-factor authentication, see the IAM FAQs.