AWS Multi-Factor Authentication (MFA) is a simple best practice that adds an extra layer of protection on top of your user name and password. With MFA enabled, when a user signs into the AWS GovCloud (US) region, they will be prompted for their user name and password (the first factor—what they know), as well as for an authentication code from their AWS MFA device (the second factor—what they have). Taken together, these multiple factors provide increased security for your GovCloud account settings and resources.
You can enable MFA for your GovCloud account and for individual IAM users you have created under your account. MFA can also be used to control access to AWS GovCloud service APIs. After you've obtained a supported hardware or virtual MFA device, AWS does not charge any additional fees for using MFA.
For more information on Virtual MFA Devices, see the AWS MFA web page.
Device | Virtual Authenticator Apps | Hardware TOTP Tokens | FIDO Security Key |
Description | Use your existing smartphone or tablet running any application that supports the open TOTP standard. | Tamper-evident hardware key fob device provided by a third-party provider. | FIDO-certified hardware security keys are provided by third-party providers such as Yubico. The FIDO Alliance maintains a list of all FIDO-certified products that are compatible with FIDO specifications. |
Features | Support for multiple tokens on a single device. | The same type of device used by many financial services and enterprise IT organizations. FIPS 140-2 validated. |
FIDO authentication standards are based on public key cryptography, which enables strong, phishing-resistant authentication that is more secure than passwords. FIDO security keys support multiple IAM users using a single security key. Has FIPS-validated options such as YubiKey FIPS Series. |