AWS Multi-Factor Authentication (AWS MFA) provides an extra level of security that you can apply to your AWS environment. You can enable AWS MFA for your AWS account and for individual AWS Identity and Access Management (IAM) users you have created under your account.

AWS MFA uses an authentication device that continually generates random, six-digit, single-use authentication codes. With AWS MFA enabled, when a user signs in to an AWS website, they will be prompted for their username and password (the first factor – what they know), as well as for an authentication code from their AWS MFA device (the second factor – what they have).All AWS websites that require sign in, such as the AWS Management Console, are integrated with AWS MFA. You can also use AWS MFA together with Amazon S3 Versioning for additional protection of your Amazon S3 stored versions.

You follow three easy steps:

1. Get an authentication device. You have two options:
   • You can purchase an authentication device that is compatible with AWS MFA from Gemalto, a third party provider, using their website, details here.
   • You can install an AWS MFA compatible application on a device such as your smartphone.
2. Once you have the authentication device you must activate it. You active an AWS MFA device for your AWS account or your IAM users in the IAM Console. You can also use the IAM CLI to activate it for an IAM user.
3. Sign in using your authentication code in addition to your user name and password when accessing secure pages on the AWS website or accessing the AWS Management Console.

AWS does not charge any additional fees for the use of AWS MFA with your AWS account. However, if you want to use a physical authentication device then you will need to purchase an authentication device that is compatible with AWS MFA from Gemalto, a third party provider. For more details, please visit Gemalto’s website.

Yes. With the introduction of AWS Identity and Access Management (IAM), each IAM user can have its own authentication device.

No. The authentication device specifically identifies a single user that owns the authentication device. Each IAM user can have its own authentication device, but users are scoped to an individual AWS account. If you have an TOTP compatible application installed on your smartphone, then you can create multiple virtual MFA devices. Each one of the virtual MFA devices can be used with an individual AWS account or IAM user.

No. AWS MFA relies on knowing a unique secret associated with your authentication device in order to support its use. Because of security constraints that mandate such secrets never be shared between multiple parties, AWS MFA cannot support the use of your existing hardware authentication device. Only a compatible hardware authentication device purchased from Gemalto, a third party provider can be used with AWS MFA.

Gemalto’s customer service will be happy to assist you.

Gemalto’s customer service will be happy to assist you.

Gemalto’s customer service will be happy to assist you.

You simply need to activate the authentication device to enable AWS MFA for your AWS account. Click here to start.

Use the IAM console or the IAM CLI to enable AWS MFA for your IAM users.

A virtual MFA device is an entry created in a TOTP compatible software application that can generate six-digit authentication codes. The software application can run on any hardware device, such as a smartphone.

Virtual MFA devices use the same protocols as the physical MFA devices. Virtual MFA devices are software based and can run on your existing devices such as smartphones. Most virtual MFA applications also allow you to enable more than one virtual MFA device which makes them more convenient than physical MFA devices.

Applications that generate TOTP compliant authentication codes, such as the AWS Virtual MFA application can be used with AWS MFA. We support provisioning virtual MFA devices either automatically scanning a QR code with the devices camera or via manual seed entry in the virtual MFA application.

QR code is an abbreviation of Quick Response code and is a two-dimensional barcode that is readable by dedicated QR barcode readers and most camera telephones. The code consists of black modules arranged in square patterns on a white background. The QR code contains the required security configuration information to provision a virtual MFA device in your virtual MFA application.

A new virtual MFA device can be configured in the IAM console for your IAM users as well as for your AWS account. You can also use the iam-virtualmfadevicecreate command in the IAM CLI or the CreateVirtualMFADevice API to provision new virtual MFA devices under your account. The iam-virtualmfadevicecreate and the CreateVirtualMFADevice API returns the required configuration information, called a seed, to bootstrap the virtual MFA device in your AWS MFA compatible application. You can either grant your IAM users the permissions to call this API directly or perform the initial provisioning for them.

You should treat seed material like any other secret (for example the AWS secret keys and passwords).

Grant the IAM user the permission to call the CreateVirtualMFADevice API. This API can be used to provision new virtual MFA devices.

You can enable AWS MFA for an AWS account and your IAM users in the IAM console. You can also use the IAM CLI or the IAM API to enable AWS MFA for your IAM users.

If you are activating the MFA device with the IAM console then you only need the device. If you are using the IAM CLI or the IAM API then you will need the following:

1. The serial number of the authentication device. The serial number is different for a hardware device or a virtual device:
   • Hardware MFA device - The serial number on the bar-coded label on the back of the device.
   • Virtual MFA device - The serial number is the value returned when running the iam-virtualmfadevicecreate command in the IAM CLI. or when calling the CreateVirtualMFADevice API.
2. Two consecutive authentication codes displayed by the authentication device.

Please contact us for help.

Yes. AWS supports Single Sign-On (SSO) which means that when you sign in to any AWS site you sign in to all AWS sites. This means that if your AWS account or any of your IAM users has an MFA device assigned to them, then they are required to always use this device when they sign in.

Yes. The AWS account and your IAM users will need to have their MFA device with them any time they need to sign in any AWS site.

If the authentication device associated with the AWS account is damaged, lost, stolen, or stops working, you will need to contact us for help with disabling AWS MFA for the account. This will allow you to temporarily sign in to AWS using just the user name and password for the AWS account.

If your IAM users lose or damage their authentication device, it is stolen, or it stops working, you can disable AWS MFA yourself using the IAM console or the IAM CLI.

Follow these two steps:

1. If you are signing in as an AWS account, sign in as usual with your user name and password when prompted. To sign in as an IAM user, use the account-specific URL and provide your user name and password when prompted.
2. On the next page, enter the six-digit authentication code that appears on your authentication device.

Only for S3 PUT Bucket versioning, GET Bucket versioning and DELETE Object APIs, which allows you to require that deleting or changing the versioning state of your bucket use an additional authentication code. For more information see the S3 documentation discussing Configuring a Bucket with MFA Delete in more detail.

AWS MFA does not currently change the way you access AWS service APIs for any of the other service.

No. For security reasons, each authentication code can be used only once.

No, this can happen occasionally. AWS MFA relies on the clock in your authentication device being in sync with the clock on our servers. Sometimes, due to environmental factors such as temperature, humidity, and pressure, these clocks can drift apart. If this happens, when you use the authentication device to sign in to access secure pages on the AWS website or the AWS Management Console, we will automatically attempt to re-sync the authentication device by requesting that you provide two consecutive authentication codes (just as you did during activation).

We suggest you try re-syncing the authentication device. If you have already tried to re-sync and are still having trouble signing in, please contact us for help.

If the authentication device is associated with an AWS account, follow these steps:

1. Contact us for help with disabling AWS MFA so you can temporarily access secure pages on the AWS website and the AWS Management Console using just your user name and password.
2. Change your Amazon password in case an attacker has stolen your authentication device and may also have your current password.
3. Purchase a new authentication device from the third party provider Gemalto using their website or provision a new virtual MFA device under your account using the IAM console.
4. Once you have completed the steps above, use the IAM console to activate the authentication device to re-enable AWS MFA for your AWS account.

If the authentication device is associated with an IAM user, you can use the IAM console, IAM CLI or IAM API to remove the MFA device for the IAM user.

If the physical authentication device is associated with an AWS account, follow these steps:

1. Contact us for help with disabling AWS MFA so you can temporarily access secure pages on the AWS website and the AWS Management Console using just your user name and password.
2. Contact the third party provider Gemalto for further assistance with the authentication device.
3. Once you have another authentication device, come back to the AWS website and activate the authentication device to re-enable AWS MFA for your AWS account, just as before.

If the authentication device is associated with an IAM user, you should contact the person who gave you the user name and password for the IAM user.

To disable AWS MFA for your AWS account, you need to deactivate your authentication device using the Security Credentials page. To disable AWS MFA for your IAM users, you need to use the IAM console or the IAM CLI. Currently, IAM users cannot disable AWS MFA themselves.