Guide

How to Enable MFA on AWS (Amazon Web Services)

2026-03-20ยท 8 min readยท Steven Adams ยท Last reviewed: March 2026

Your AWS account controls cloud infrastructure that could cost thousands of dollars if compromised. A misconfigured or stolen AWS root account can result in massive unauthorised charges, data breaches, and complete loss of cloud resources. Enabling MFA on your AWS root account and IAM users is one of the highest-impact security steps you can take for any cloud workload.

In This Guide

  1. AWS Root Account vs IAM Users
  2. Step 1: Enable MFA on Your AWS Root Account
  3. Step 2: Enable MFA for IAM Users
  4. Enforce MFA for All IAM Users
  5. FIDO2 Security Keys for AWS
  6. What to Do If You Lose AWS MFA Access

AWS Root Account vs IAM Users โ€” Enable MFA on Both

AWS has two types of accounts that need MFA protection. The root account is the email address used to create the AWS account โ€” it has unrestricted access to everything including billing and account closure. It should be used rarely but must be protected with MFA. IAM users are the accounts used for day-to-day access. Every IAM user with console access should have MFA enabled individually.

Step 1: Enable MFA on Your AWS Root Account

  1. Sign in to the AWS Management Console at console.aws.amazon.com using your root account email and password.
  2. Click your account name in the top right, then select Security credentials.
  3. Under "Multi-factor authentication (MFA)", click Assign MFA device.
  4. Give the device a name (e.g. "my-authenticator"), select Authenticator app, and click Next.
  5. Click Show QR code and scan it with your authenticator app (Google Authenticator, Authy, 1Password, etc.).
  6. Enter two consecutive 6-digit codes from your app (MFA code 1 and MFA code 2) and click Add MFA.
  7. MFA is now active on your root account.
Use two separate codes from consecutive 30-second windows. AWS requires two sequential codes to confirm the authenticator is properly synchronised. Wait for the first code to change, then enter both in order.

Step 2: Enable MFA for IAM Users

To enable MFA for an IAM user (including your own user):

  1. Go to the IAM console at console.aws.amazon.com/iam.
  2. Click Users in the left sidebar and select the user.
  3. Go to the Security credentials tab.
  4. Under "Multi-factor authentication (MFA)", click Assign MFA device.
  5. Follow the same steps as the root account โ€” name the device, select authenticator app, scan the QR code, enter two consecutive codes.

Enforce MFA for All IAM Users with a Policy

You can require MFA for all IAM actions by attaching a policy that denies everything unless MFA is present. This is AWS best practice for any account with multiple users. Create an IAM policy with the condition "Bool": {"aws:MultiFactorAuthPresent": "false"} and attach it to your users or groups. Users without MFA will be blocked from all actions except the minimal steps needed to enrol their MFA device.

FIDO2 Security Keys for AWS

AWS supports FIDO2/WebAuthn hardware security keys (such as YubiKey) as an MFA option. For root accounts and highly privileged IAM users, a hardware key provides the strongest available protection and is phishing-resistant. Register a FIDO2 key the same way as a virtual MFA device โ€” select "Security key" instead of "Authenticator app" during enrolment. AWS recommends registering two hardware keys and storing one as a backup in a physically secure location.

What to Do If You Lose AWS MFA Access

For IAM users, an AWS administrator can deactivate your MFA device from the IAM console and assign a new one. If the administrator themselves is locked out, or if it is the root account, you must contact AWS Support. For root account recovery, AWS requires identity verification including the phone number on the account, payment method information, and in some cases additional verification steps. This process can take hours to days, which is why having a backup MFA device registered is critical for root accounts.

AWS MFA Best Practices Summary

Enable MFA on the root account immediately and use it only for tasks that genuinely require root access (closing the account, changing billing details, recovering from IAM lockout). For day-to-day work, use IAM users or IAM Identity Center with MFA enforced. Store your authenticator backup codes and root account recovery information in a secure offline location. Consider registering a second MFA device as a backup. Audit your IAM users regularly for MFA compliance using AWS Security Hub or IAM credential reports.

Related Articles

Security

Is SMS 2FA Safe?

Read โ†’
Security

Hardware Keys Explained

Read โ†’
Security

2FA for Business

Read โ†’

Why AWS 2FA Is Critical for Root and IAM Accounts

An unsecured AWS root account is one of the most dangerous security failures possible for any organisation. The root account has unrestricted access to all AWS services and billing โ€” an attacker with root access can spin up thousands of EC2 instances for cryptocurrency mining (resulting in bills of tens of thousands of dollars in hours), access all S3 buckets, delete all backups, and exfiltrate any data in the account. Real-world AWS compromises through stolen credentials have resulted in bills exceeding $50,000 in a single weekend. AWS best practice: enable MFA on the root account immediately and never use it for day-to-day operations.

Root Account vs IAM User 2FA

The root account is the master account created when you first signed up for AWS โ€” it should have 2FA enabled and its credentials should be stored securely and used as rarely as possible. IAM users are separate accounts with specific permissions that you create for daily use. Each IAM user should have their own 2FA configured. When setting up 2FA on a root account, AWS requires you to enter two consecutive TOTP codes (from different 30-second windows) to verify the authenticator app is correctly configured.

Enforcing MFA for IAM Users Through Policies

AWS lets you create IAM policies that require MFA before any sensitive action can be performed โ€” a common pattern is granting full permissions only after MFA authentication. This means even if an attacker steals an IAM user's access keys, they cannot perform sensitive operations without also having the MFA device. AWS provides example "Deny everything without MFA" policies in their documentation that can be adapted for your needs.

Frequently Asked Questions

Does AWS 2FA protect programmatic access (API keys)? IAM access keys used for programmatic API access do not require MFA by default. You can enforce MFA for API access using IAM Condition keys (aws:MultiFactorAuthPresent) in your policies, requiring application changes to handle MFA-protected API calls using temporary credentials from AWS STS.

What happens if the root account 2FA device is lost? AWS root account MFA recovery requires contacting AWS Support and going through a verification process using the account's billing information, email, and phone number, taking 24โ€“72 hours. Treat your root account's backup codes like a master password to your entire cloud infrastructure.

Should I enable 2FA on AWS even for test or development accounts? Yes โ€” even development accounts often contain sensitive data or credentials that could be used to access production systems, or could be used to run expensive compute workloads at your expense.