AWS Multi-Factor Authentication (MFA) is a simple best practice that adds an extra layer of protection on top of your user name and password. With MFA enabled, when a user signs in to an AWS website, they will be prompted for their user name and password (the first factor—what they know), as well as for an authentication code from their AWS MFA device (the second factor—what they have). Taken together, these multiple factors provide increased security for your AWS account settings and resources.

You can enable MFA for your AWS account and for individual IAM users you have created under your account. MFA can be also be used to control access to AWS service APIs.

After you've obtained a supported hardware or virtual MFA device, AWS does not charge any additional fees for using MFA.

You can also protect cross-account access using MFA.

How to Enable Multi-Factor Authentication (MFA) for Your AWS User Account (4:01)

MFA Form Factors

  Virtual MFA Device Universal 2nd Factor (U2F) Security Key Hardware Key Fob MFA Device Hardware Display Card MFA Device SMS MFA Device (Preview) Hardware Key Fob
MFA Device for
AWS GovCloud (US)

Device

See table below.
Purchase. Purchase. Purchase. Use your mobile device. Purchase.
Physical Form Factor Use your existing smartphone or tablet running any application that supports the open TOTP standard. Durable, waterproof, and crush resistant hardware YubiKey security key provided by Yubico, a third-party provider. Tamper-evident hardware key fob device provided by Gemalto, a third-party provider. Tamper-evident hardware display card device provided by Gemalto, a third-party provider. Any mobile device that can receive Short Message Service (SMS) messages. Tamper-evident hardware key fob device provided by SurePassID, a third-party provider.
Price Free $40.00 $12.99 $19.99 SMS or data charges may apply. $15.95
Features Support for multiple tokens on a single device. Support for multiple root and IAM users using a single security key. The same type of device used by many financial services and enterprise IT organizations. Similar to key fob devices, but in a convenient form factor that fits in your wallet like a credit card. Familiar option with low setup costs. A key fob device
exclusively for use with
AWS GovCloud (US) accounts.
Compatibility with
AWS GovCloud (US)
       
Compatibility with Root Account    
Compatibility with IAM User

 

Virtual MFA Applications

Applications for your smartphone can be installed from the application store that is specific to your phone type. The following table lists some applications for different smartphone types.

U2F Security Key

AWS supports U2F security key as a MFA device for accessing the AWS Management Console using certain web browsers. We encourage you to use virtual or hardware MFA for the AWS Console Mobile App. For more information, please review the configurations associated with U2F security key supported by AWS.

SMS MFA

We are no longer accepting new participants for the SMS MFA preview. We encourage you to use MFA on your AWS account by using either a hardware or virtual (software-based) MFA device.

Existing SMS MFA participants - On February 1, 2019, AWS will no longer require IAM users to enter an MFA six-digit code if the IAM user is setup with “An SMS MFA device”. These users will also no longer be provided an SMS code when they sign in. We encourage you to use MFA through either a hardware-based or a virtual (software-based) MFA device. You can continue using this feature until January 31, 2019.

IAM FAQs

For more information about AWS multi-factor authentication, see the IAM FAQs.

Learn how to get started with AWS IAM

Visit the getting started page
Ready to build?
Get started with AWS IAM
Have more questions?
Contact us