Available MFA methods for IAM
You can manage your MFA devices in the IAM console. The following options are the MFA methods that IAM supports.
FIDO security keys
FIDO-certified hardware security keys are provided by third-party providers such as Yubico. The FIDO Alliance maintains a list of all FIDO-certified products that are compatible with FIDO specifications. FIDO authentication standards are based on public key cryptography, which enables strong, phishing-resistant authentication that is more secure than passwords. FIDO security keys support multiple root accounts and IAM users using a single security key. FIDO security keys are supported for IAM users in the AWS GovCloud (US) Regions and in other AWS Regions. For more information about enabling FIDO security keys, see Enabling a FIDO security key.
AWS offers a free MFA security key to eligible AWS account owners in the United States. To determine eligibility and order a key, see the Security Hub console.

Virtual authenticator apps
Virtual authenticator apps implement the time-based one-time password (TOTP) algorithm and support multiple tokens on a single device. Virtual authenticators are supported for IAM users in the AWS GovCloud (US) Regions and in other AWS Regions. For more information about enabling virtual authenticators, see Enabling a virtual multi-factor authentication (MFA) device.
You can install apps for your smartphone from the app store that is specific to your type of smartphone. Some app providers also have web and desktop applications available. See the following table for examples.

Hardware TOTP tokens
Hardware tokens also support the TOTP algorithm and are provided by Thales, a third-party provider. These tokens are for use exclusively with AWS accounts. For more information, see Enabling a hardware MFA device.
To ensure compatibility with AWS, you must purchase your MFA tokens through the links on this page. Tokens purchased from other sources might not function with IAM because AWS requires unique “token seeds,” secret keys generated at the time of token production. Only tokens purchased through the links on this page have their token seeds shared securely with AWS. The MFA tokens are offered in two forms: the OTP token and the OTP display card.
Hardware TOTP tokens for the AWS GovCloud (US) Regions
Hardware TOTP tokens are compatible with the AWS GovCloud (US) Regions and are provided by Hypersecu, a third-party provider. These tokens are for use exclusively by IAM users with AWS GovCloud (US) accounts.
To ensure compatibility with AWS, you must purchase your MFA tokens through the links on this page. Tokens purchased from other sources might not function with IAM because AWS requires unique “token seeds,” secret keys generated at the time of token production. Only tokens purchased through the links on this page have their token seeds shared securely with AWS. The MFA tokens are offered in the OTP token format.

Learn how to get started with AWS IAM