• With MFA, when a user signs in to an AWS website, they will be prompted for
    • their user name and password (the first factor—what they know)
    • an authentication response from their AWS MFA device (the second factor—what they have)
  • Multiple factors provide increased security for AWS account settings and resources.
  • Enable MFA for AWS account and for individual IAM users created under account.
  • MFA can be also be used to control access to AWS service APIs.

Supported MFA mechanism other than, regular sign-in credentials, are

  • Virtual MFA devices. A software app that runs on a phone or other mobile device and emulates a physical device. The device generates a six-digit numeric code based upon a time-synchronized one-time password algorithm. The user must type a valid code from the device on a second webpage during sign-in. Each virtual MFA device assigned to a user must be unique. A user cannot type a code from another user’s virtual MFA device to authenticate.
  • U2F security key. A device that you plug into a USB port on your computer. U2F is an open authentication standard hosted by the FIDO Alliance. When you enable a U2F security key, you sign in by entering your credentials and then tapping the device instead of manually entering a code.
  • Hardware MFA device. A hardware device that generates a six-digit numeric code based upon a time-synchronized one-time password algorithm. The user must type a valid code from the device on a second webpage during sign-in. Each MFA device assigned to a user must be unique. A user cannot type a code from another user’s device to be authenticated.
  • SMS text message-based MFA. A type of MFA in which the IAM user settings include the phone number of the user’s SMS-compatible mobile device. When the user signs in, AWS sends a six-digit numeric code by SMS text message to the user’s mobile device. The user is required to type that code on a second webpage during sign-in. Note that SMS-based MFA is available only for IAM users. You cannot use this type of MFA with the AWS account root user.
Menu