AWS Security  |  Contact Us  |  Create an AWS Account Create an AWS Account
Amazon Web Services
Home > Account > Multi-Factor Authentication > Multi-Factor Authentication FAQs

Multi-Factor Authentication

General

Purchasing Device

Enabling AWS MFA

Using AWS MFA

Q. What is AWS MFA?
AWS Multi-Factor Authentication is an additional layer of security that offers enhanced control over your AWS account settings.
Q. How does AWS MFA work?
AWS MFA uses an authentication device that continually generates random, six-digit authentication codes solely for your use. Once you enable AWS MFA, every time somebody tries to sign in to your secure pages on the AWS website or AWS Management Console, access will only be granted after the correct Amazon email-id and password (the first “factor”: something you know) and the current code from your authentication device (the second “factor”: something you have) are provided.
Q. How does AWS MFA help me?
AWS MFA provides even greater protection for your AWS account, including extra protection of sensitive information such as your AWS access identifiers and critical actions such as changing your AWS infrastructure service subscriptions. It also extends this protection to the AWS Management Console so that your AWS resources, such as Amazon Elastic Compute Cloud (Amazon EC2) instances or Amazon CloudFront distributions, cannot be modified without multi-factor authentication.
Q. How do I get AWS MFA?
You follow three easy steps:
  1. Purchase an authentication device that is compatible with AWS MFA from Gemalto, a third party provider, using their website. Details here.
  2. Once you have the device, come back to the AWS website and activate the device to enable AWS MFA for your AWS account. Details here.
  3. Sign in using your authentication code in addition to your Amazon email-id and password when accessing secure pages on the AWS website or accessing the AWS Management Console. Details here.
Q. Is there a fee associated with using AWS MFA?
AWS does not charge any additional fees for the use of AWS MFA with your AWS account. However, you will need to purchase an authentication device that is compatible with AWS MFA from Gemalto, a third party provider. For more details, please visit Gemalto’s website.
Q. Does AWS MFA affect how I access AWS Service APIs?
No. AWS MFA does not currently change the way you access AWS service APIs.
Q. Can I have multiple authentication devices active for my AWS Account?
No. The authentication device aims to specifically identify a single user that owns the device. Since an AWS account is currently associated with a single user identity, it can only have a single authentication device active at any given time.
Q. Can I use my authentication device with multiple AWS accounts?
No. The authentication device aims to specifically identify a single user that owns the device. Since a single user identity can currently only be associated with a single AWS account, the user’s authentication device can only be used with that AWS account.
Q. I already have an authentication device from my place of work or from another service I use, can I re-use this device with AWS MFA?
No. AWS MFA relies on knowing a unique secret associated with your authentication device in order to support its use. Because of security constraints that mandate such secrets never be shared between multiple parties, AWS MFA cannot support the use of your existing authentication device. Only a compatible device purchased from Gemalto, a third party provider, can be used with AWS MFA.
Q. How do I disable AWS MFA for my AWS account?
To disable AWS MFA for your AWS account, you need to deactivate your authentication device using the Security Credentials page.
Q. If I enable AWS MFA for my AWS account, will I need an authentication code to sign in to all Amazon properties?
No. AWS MFA currently applies only to the following:
  • Secure pages on the AWS Portal (http://aws.amazon.com)
  • AWS Management Console (https://console.aws.amazon.com)

At this time, sign-ins to other AWS/Amazon properties do not change (they continue to take just your Amazon email-id and password). These include:

  • Amazon.com (http://www.amazon.com)
  • Amazon Payments (http://payments.amazon.com)
  • AWS discussion forums (http://aws.amazon.com/forums)
  • Amazon Mechanical Turk (http://requester.mturk.com)
  • Premium Support (https://developer.amazonwebservices.com/connect/support.jspa)
  • Seller Central (http://sellercentral.amazon.com)
Q. Once I enable AWS MFA for my AWS account, will I always need an authentication code to sign in to the AWS Portal or AWS Management Console?
Yes. You will need to have your authentication device with you at any time you need to sign in to access secure pages on the AWS website or the AWS Management Console. In case you’ve lost or damaged your authentication device, it has been stolen, or it has stopped working, you will need to contact us for help with disabling AWS MFA. This will allow you to temporarily sign in to AWS using just your Amazon email-id and password.
Q. I’m having a problem with placing an order for an authentication device using the third party provider Gemalto’s website. Where can I get help?
Gemalto’s customer service will be happy to assist you.
Q. I placed an order for an authentication device via the third party provider Gemalto’s website but have not yet received it. Where can I get help?
Gemalto’s customer service will be happy to assist you.
Q. I received a defective or damaged authentication device from the third party provider Gemalto. Where can I get help?
Gemalto’s customer service will be happy to assist you.
Q. I just received an authentication device from the third party provider Gemalto. What should I do?
You simply need to activate the device to enable AWS MFA for your AWS account. Click here to start.
Q. Where do I enable AWS MFA by activating my authentication device?
At the AWS website. Click here to start.
Q. What information will I need to activate my authentication device?
You will need the following:
  1. The serial number of the device that can be found on the bar-coded label on the rear of the device.
  2. Two consecutive authentication codes displayed by the device.
Q. My authentication device seems to be working normally, but I am not able to activate it. What should I do?
Please contact us for help.
Q. How do I sign in to the AWS Portal and AWS Management Console using my authentication device?
Follow these two steps:
  1. When you’re prompted, sign in as usual with your Amazon email-id and password.
  2. On the next page, enter the six-digit authentication code that currently appears on your authentication device.
Q. Can I use a given authentication code more than once?
No. For security reasons, each authentication code can be used only once.
Q. I was recently asked to re-sync my authentication device because my authentication codes were being rejected. Should I be concerned?
No, this is expected behavior and can happen occasionally. AWS MFA relies on the clock in your authentication device being in sync with the clock on our servers. Sometimes, due to environmental factors such as temperature, humidity, and pressure, these clocks can drift apart. If this happens, when you use the device to sign in to access secure pages on the AWS website or the AWS Management Console, we will automatically attempt to re-sync the device by requesting that you provide two consecutive authentication codes (just as you did during activation).
Q. My authentication device seems to be working normally, but I am not able to use it to sign in to the AWS Portal or AWS Management Console What should I do?
We suggest you try re-syncing the device. If you have already tried to re-sync and are still having trouble with logins, please contact us for help.
Q. My authentication device is lost, is damaged, or has been stolen and now I can’t sign in to the AWS Portal or AWS Management Console. What should I do?
Follow these steps:
  1. Contact us for help with disabling AWS MFA so you can temporarily access secure pages on the AWS website and the AWS Management Console using just your Amazon email-id and password.
  2. Change your Amazon password in case an attacker has stolen your authentication device and may also have your current password.
  3. Purchase a new authentication device from the third party provider Gemalto using their website.
  4. Once you have the device, come back to the AWS website and activate the device to re-enable AWS MFA for your AWS account.
Q. My authentication device has stopped working and now I can’t sign in to the AWS Portal or AWS Management Console. What should I do?
Follow these steps:
  1. Contact us for help with disabling AWS MFA so you can temporarily access secure pages on the AWS website and the AWS Management Console using just your Amazon email-id and password.
  2. Contact the third party provider Gemalto for further assistance with the device.
  3. Once you have another authentication device, come back to the AWS website and activate the device to re-enable AWS MFA for your AWS account just as before.
©2009, Amazon Web Services LLC or its affiliates. All rights reserved.