AWS Security Blog

Important Notification About Your AWS Virtual MFA Device

** Update:  the Google Autenticator application for iOS has been updated and now available from Apple’s App Store.  It no longer has an issue of potentially losing existing AWS MFA tokens as reported in this post.

Do you use Google Authenticator for iOS for AWS MFA? If so, then read this!

If you use Google Authenticator for iOS for AWS MFA to secure your AWS account, please read on. Google recently released an update to the Google Authenticator app in the Apple App Store. We’ve received reports indicating that this update is deleting all MFA tokens from the smartphone. This could prevent you from authenticating to your AWS account.  Google has since pulled the Google Authenticator application from the App Store and are presumably working on a fix for this issue.

We wanted to give AWS customers guidance on how to best proceed until a fix is provided. How you proceed depends on whether you’ve upgraded and whether you can access AWS. 

If you usually sign in using the root account and you can sign in (i.e. you have not upgraded yet)

If you have not upgraded your Google Authenticator app for iOS, you don’t need to do anything. To ensure that future upgrades to your iOS MFA app don’t disrupt access to your AWS account, take the following steps:

  1. Sign in to your AWS account.
  2. Deactivate MFA on your root account.
  3. Upgrade to the latest version of Google Authenticator for iOS (or another AWS-compatible iOS app, such as Okta Verify or HDE OTP).
  4. Reactivate MFA on your root account.

If you usually sign in using the root account and you cannot sign in (i.e. you have already upgraded)

If you have already upgraded your Google Authenticator app and are no longer able to sign in, you can request assistance from AWS Customer Service.

If you usually sign in as an IAM user and you can sign in (i.e. you have not upgraded yet)

Follow the steps above under “If you have root account access and can sign in”

If you usually sign in as an IAM user and cannot sign in (i.e. you have already upgraded)

If you have IAM permissions to manage your own MFA devices, do the following:

  1. Deactivate MFA on your IAM user using the IAM console or using the new AWS CLI deactivate-mfa-device command.
  2. Reactivate MFA on your IAM user using the console or using the create-virtual-mfa-device command.

If you don’t have permissions to manage your own MFA devices, have your account administrator deactivate MFA on your IAM user and then reactivate it.

We’ll post more information as we have it on this announcement in the AWS Forums.  If you’re still having AWS access problems related to MFA, contact AWS Customer Service for assistance.

Kai Zhao
Product Manager, AWS Identity and Access Management