AWS Multi-Factor Authentication

AWS Multi-Factor Authentication (AWS MFA) provides an extra level of security that you can apply to your AWS environment. You can enable AWS MFA for your AWS account and for individual AWS Identity and Access Management (IAM) users you have created under your account. With AWS MFA enabled, when a user signs in to an AWS website, they will be prompted for their username and password (the first factor – what they know), as well as for an authentication code from their AWS MFA device (the second factor – what they have). Taken together, these multiple factors provide increased security for your AWS account settings and resources. Once a customer obtains a supported hardware or virtual MFA device, AWS does not charge any additional fees for the use of AWS MFA. All AWS websites, including the AWS Management Console and the AWS Portal, are integrated with AWS MFA.

Additional information about AWS Multi-Factor Authentication can be found in the AWS MFA FAQs.

How to enable AWS MFA

AWS MFA supports both hardware and virtual MFA devices.

	Virtual MFA Device	Hardware MFA Device
Get device
Physical Form Factor	Use your existing smartphone, tablet, or computer running any application that supports the open TOTP standard.	Tamper-evident hardware keyfob device provided by Gemalto, a 3rd-party provider.
Price	Free	$12.99
Security	Better	Best
Features	Support for multiple tokens on a single device.	The same type of device used by many financial services and enterprise IT organizations.

Sign in to the AWS Identity and Access Management (IAM) console to enable AWS MFA for your AWS account or your IAM users.

Once you enable AWS MFA, every time the AWS account or IAM user tries to sign in to AWS to access your AWS environment, then access is only granted after the correct user name and password is provided together with an authentication code from their authentication device.