AWS Public Sector Blog

Announcing the Availability of Hardware Multi-Factor Authentication in the AWS GovCloud (US) Region

Hardware multi-factor authentication (MFA) is now available in the AWS GovCloud (US) Region to help bolster data security while giving you control over token keys with access to your data.

AWS Multi-Factor Authentication (MFA) is a best practice that adds an extra layer of protection on top of your user name and password. With MFA enabled, when a user signs in to the AWS GovCloud (US) Region, they are prompted for their user name and password (the first factor, or “what they know”), as well as for an authentication code from their AWS MFA device (the second factor, or “what they have”). Taken together, these factors provide increased security for AWS GovCloud (US) account settings and resources.

The AWS GovCloud (US)-specific tokens are distributed by SurePassID, a third-party digital security company, and implement the Initiative for Open Authentication Time-based One-Time Password (OATH TOTP) standard. The MFA token keys are stored in the AWS GovCloud (US) Region with a separate AWS Identity and Access Management (IAM) environment to create logical isolation from other regions during authentication. SurePassID tokens are available for purchase on

You can enable MFA for your AWS GovCloud (US) account and for individual IAM users you have created under your account. You can also use MFA to control access to AWS GovCloud (US) service APIs.

AWS does not charge any additional fees for using MFA, so after you have obtained a supported hardware or virtual MFA device you can start to deploy MFA with no additional cost.

To learn more about MFA for the AWS GovCloud (US) Region, see AWS GovCloud (US) Product Details.