AWS Security Blog
Reset Your AWS Root Account’s Lost MFA Device Faster by Using the AWS Management Console
August 8, 2022 – We made minor updates to some of the steps and images for resetting a lost MFA device.
To help secure your AWS resources, AWS recommends that you follow the AWS Identity and Access Management (IAM) best practice of enabling multi-factor authentication (MFA) for the root user of your account. With MFA turned on, the root user of your account is required to submit one form of authentication, which is the account password, and another form of authentication, such as a one-time password (OTP) from an MFA device. If you have MFA enabled on your root account and you lose or misplace your root MFA device, you can now reset it by using the AWS Management Console.
Now, your root user can use the AWS sign-in page to verify your root account’s email address and phone number. Then, the root user can deactivate the lost MFA device and set up a new MFA device in its place. Note that this information verification feature is available only for AWS root users with a phone number associated with their root account. If your root user does not have a valid phone number associated with your root account, the root user must call AWS Support to reset the lost MFA device.
In this blog post, I demonstrate how to reset a lost MFA device faster by using the AWS Management Console to verify your root user’s email address and phone number. I then demonstrate how to set up a virtual MFA device that you can use in place of the lost MFA device.
Note: If you are using an AWS account created after September 14, 2017, you might see differences in the following console pages: Sign in with authentication device and Troubleshoot your authentication device. However, the same features are provided. In either case, if you cannot verify your account email address and phone number using alternative factors of authentication, contact AWS Support to deactivate your MFA setting.
Reset a lost MFA device
In this section, I demonstrate how to reset a lost MFA device. To reset your MFA device, you must know and have access to the email address and phone number associated with your root account.
Follow these steps to reset your lost MFA device:
- Navigate to the AWS sign-in page, and enter your root account’s email address.
- On the Root user sign in page, enter the password of your root account.
- On the Multi-factor authentication page, choose Troubleshot MFA.
- On the Troubleshoot your authentication device page, choose Sign in using alternative factors under Sign in using alternative factors of authentication.
- On Step 1: Email address verification, validate that the email address is correct and choose Send verification email.
- AWS sends an email with the subject line, AWS Email Verification, to the address associated with the root account. After the email is sent to your address, you will see Email sent under Step 1, as shown in the following screenshot. If you do not see the verification email in the root user’s inbox, check the spam folder or choose Resend the email under Step 1. After you locate the email, you can close the current browser tab. Follow the directions in the email to proceed with the verification process.
- In the email from AWS with the subject line, AWS Email Verification, choose Verify your email address.
- When you choose the verification link, your email is verified and you are taken to Step 2 of the verification process. In Step 2: Phone number verification, pay close attention to the phone number listed. In the example below, it shows that the call will go to a phone number ending in 7890.
If the number is correct, choose Call me now to start the phone number verification process.
- Answer the phone call from AWS and use your phone’s keypad to submit the six-digit verification code that appears on your computer screen.
- After you have verified your root account’s email address and phone number, proceed to Step 3: Sign In. In Step 3, choose Sign in to the console to sign in to the AWS Management Console.
- You automatically are redirected to the Your Security Credentials page, where you can deactivate your lost MFA device. To deactivate the MFA device, in the Multi-factor authentication (MFA) section, under Actions, choose Manage.
- In the Manage MFA device section, select the radio button next to Remove and then choose Remove.
Note: if you find your MFA device later, you can reactivate it on the same Your Security Credentials page. A reactivated device is treated like a new device, so choose Activate MFA to reactivate a device.
- You have successfully deactivated your lost MFA device. You will no longer see any details associated with the lost MFA device in the console. You now will see an Activate MFA option (see the following screenshot) that you can use to activate a new MFA device.
We recommend that you enable a new MFA device on your root account as soon as possible to ensure that your root account is protected by MFA. If you find your lost MFA device, you can reactivate it (see Step 11 earlier in this post).
In place of your lost MFA device, you can use a virtual MFA device to ensure that your root account remains protected by MFA. In the next section, I show how to set up a virtual MFA device and associate it with your root account.
Associate a virtual MFA device with your root account
After you deactivate your lost MFA device, you can associate a virtual MFA device with your root account to help secure your AWS resources. You need to download a virtual MFA app such as Google Authenticator or Authy 2-Factor Authentication to use virtual MFA with your AWS account.
To associate a virtual MFA device with your root account:
- Choose Activate MFA on the Your Security Credentials page.
- In the Manage MFA device section, choose Virtual MFA device and then choose Continue.
- If you do not have an AWS MFA-compatible application, install one of the available applications.
- Open the virtual MFA app on your phone and choose the option to create a new account.
- Use the app to scan the QR code on your computer screen. Alternatively, you can choose Show secret key, and then enter the secret key in the MFA app.
- In the MFA code 1 box, enter the OTP that appears in the virtual MFA app. Wait for up to 30 seconds for the app to generate a second OTP. Enter the second OTP in the MFA code 2 box and then choose Assign MFA.
You have now successfully enabled virtual MFA and associated it with your root account, and your root account is now protected by using MFA. You will use the virtual MFA app to generate an authentication code for subsequent sign-ins.
In this blog post, I demonstrated how you can reset your AWS root account’s lost MFA device by using the AWS Management Console. I also showed how you can associate a virtual MFA device with your root account.
If you have comments about resetting an MFA device for root users, submit them in the “Comments” section below. If you have implementation questions, start a thread on the IAM forum or contact AWS Support.
Want more AWS Security how-to content, news, and feature announcements? Follow us on Twitter.