AWS Multi-Factor Authentication (AWS MFA) is an additional layer of security that offers enhanced control over your AWS account settings. It is an opt-in account feature that requires a valid six-digit, single-use code from an authentication device in your physical possession in addition to your standard AWS account credentials before access is granted to your AWS account settings.
AWS MFA uses an authentication device that continually generates random, six-digit authentication codes solely for your use. Once you enable AWS MFA, every time somebody tries to sign in to your secure pages on the AWS Portal or AWS Management Console, access will only be granted after the correct Amazon email-id and password (the first “factor”: something you know) and the precise code from your authentication device (the second “factor”: something you have) are provided. This multi-factor authentication provides even greater protection for your AWS account, including extra protection of sensitive information such as your AWS access identifiers and critical actions such as changing your AWS infrastructure service subscriptions. AWS MFA extends this protection to the AWS Management Console so that your AWS resources, such as Amazon Elastic Compute Cloud (Amazon EC2) instances or Amazon CloudFront distributions, cannot be modified without multi-factor authentication. You can also use AWS MFA in conjunction with Amazon S3’s Versioning capability for additional protection of your Amazon S3 stored versions.
It is easy to obtain an authentication device from a participating third party provider and to set it up for use via the AWS website.
1. Purchase Device: get an authentication device compatible with AWS MFA
2. Enable AWS MFA: opt-in to the feature by activating your authentication device
3. Use AWS MFA: sign in to AWS using your password and authentication code
Get additional information about Amazon Multi-Factor Authentication by viewing the AWS MFA FAQs.

You can currently obtain authentication devices compatible with AWS MFA from Gemalto, a world leader in digital security.
Gemalto currently offers the Ezio* Time Token hardware device — compact, lightweight, and designed to be carried as a key fob. It is based on the OATH standard for Time-based One-Time Passwords. Click on the button below to obtain your device from the Gemalto website.
*Ezio is a registered trademark of Gemalto, Inc.
Once you have your compatible authentication device, simply click on the corresponding button below to activate it with AWS.
Once you enable AWS MFA, every time somebody tries to sign in to your secure pages on the AWS Portal or AWS Management Console, access will only be granted after the correct Amazon email-id and password are provided on the “Amazon Web Services Sign In” page and the precise code from your authentication device is provided on the following “Sign In With Authentication Code” page.
