Is AWS MFA mandatory?

AWS strongly recommends MFA for all accounts. For root accounts, MFA is effectively mandatory best practice — the AWS Security Hub and Well-Architected Framework both flag missing root MFA as a critical security finding. AWS also now requires MFA for root users accessing the AWS Management Console in some contexts.

What MFA devices does AWS support?

AWS supports virtual MFA devices (TOTP authenticator apps), hardware TOTP tokens, FIDO2/WebAuthn security keys (like YubiKey), and hardware MFA key fobs. Virtual MFA via an authenticator app is the most commonly used option.

Should I enable MFA for IAM users as well?

Yes. Every human IAM user should have MFA enabled, especially those with console access or administrative permissions. You can enforce this with an IAM policy that denies all actions unless MFA is present.

Can I use Google Authenticator for AWS MFA?

Yes. Any TOTP-compatible authenticator app works with AWS virtual MFA: Google Authenticator, Authy, Microsoft Authenticator, 1Password, and Bitwarden all work correctly.

How to Enable MFA on AWS (Amazon Web Services)

Your AWS account controls cloud infrastructure that could cost thousands of dollars if compromised. A misconfigured or stolen AWS root account can result in massive unauthorised charges, data breaches, and complete loss of cloud resources. Enabling MFA on your AWS root account and IAM users is one of the highest-impact security steps you can take for any cloud workload.

AWS Root Account vs IAM Users — Enable MFA on Both

AWS has two types of accounts that need MFA protection. The root account is the email address used to create the AWS account — it has unrestricted access to everything including billing and account closure. It should be used rarely but must be protected with MFA. IAM users are the accounts used for day-to-day access. Every IAM user with console access should have MFA enabled individually.

Step 1: Enable MFA on Your AWS Root Account

Sign in to the AWS Management Console at console.aws.amazon.com using your root account email and password.
Click your account name in the top right, then select Security credentials.
Under "Multi-factor authentication (MFA)", click Assign MFA device.
Give the device a name (e.g. "my-authenticator"), select Authenticator app, and click Next.
Click Show QR code and scan it with your authenticator app (Google Authenticator, Authy, 1Password, etc.).
Enter two consecutive 6-digit codes from your app (MFA code 1 and MFA code 2) and click Add MFA.
MFA is now active on your root account.

Use two separate codes from consecutive 30-second windows. AWS requires two sequential codes to confirm the authenticator is properly synchronised. Wait for the first code to change, then enter both in order.

Step 2: Enable MFA for IAM Users

To enable MFA for an IAM user (including your own user):

Go to the IAM console at console.aws.amazon.com/iam.
Click Users in the left sidebar and select the user.
Go to the Security credentials tab.
Under "Multi-factor authentication (MFA)", click Assign MFA device.
Follow the same steps as the root account — name the device, select authenticator app, scan the QR code, enter two consecutive codes.

Enforce MFA for All IAM Users with a Policy

You can require MFA for all IAM actions by attaching a policy that denies everything unless MFA is present. This is AWS best practice for any account with multiple users. Create an IAM policy with the condition "Bool": {"aws:MultiFactorAuthPresent": "false"} and attach it to your users or groups. Users without MFA will be blocked from all actions except the minimal steps needed to enrol their MFA device.

FIDO2 Security Keys for AWS

AWS supports FIDO2/WebAuthn hardware security keys (such as YubiKey) as an MFA option. For root accounts and highly privileged IAM users, a hardware key provides the strongest available protection and is phishing-resistant. Register a FIDO2 key the same way as a virtual MFA device — select "Security key" instead of "Authenticator app" during enrolment. AWS recommends registering two hardware keys and storing one as a backup in a physically secure location.

What to Do If You Lose AWS MFA Access

For IAM users, an AWS administrator can deactivate your MFA device from the IAM console and assign a new one. If the administrator themselves is locked out, or if it is the root account, you must contact AWS Support. For root account recovery, AWS requires identity verification including the phone number on the account, payment method information, and in some cases additional verification steps. This process can take hours to days, which is why having a backup MFA device registered is critical for root accounts.

AWS MFA Best Practices Summary

Enable MFA on the root account immediately and use it only for tasks that genuinely require root access (closing the account, changing billing details, recovering from IAM lockout). For day-to-day work, use IAM users or IAM Identity Center with MFA enforced. Store your authenticator backup codes and root account recovery information in a secure offline location. Consider registering a second MFA device as a backup. Audit your IAM users regularly for MFA compliance using AWS Security Hub or IAM credential reports.

How to Enable MFA on AWS (Amazon Web Services)

AWS Root Account vs IAM Users — Enable MFA on Both

Step 1: Enable MFA on Your AWS Root Account

Step 2: Enable MFA for IAM Users

Enforce MFA for All IAM Users with a Policy

FIDO2 Security Keys for AWS

What to Do If You Lose AWS MFA Access

AWS MFA Best Practices Summary

Related Articles

Is SMS 2FA Safe?

Hardware Keys Explained

2FA for Business

Related Articles

Security
Is SMS 2FA Safe?
Read →

Security
Hardware Keys Explained
Read →

Security
2FA for Business
Read →