AWS Multi-Factor Authentication

AWS Multi-Factor Authentication (AWS MFA) provides an extra level of security that you can apply to your AWS environment. With AWS MFA enabled, when a user signs in to an AWS website, they will be prompted for their username and password (the first factor – what they know), as well as for an authentication code from their AWS MFA device (the second factor – what they have). Taken together, these multiple factors provide increased security for your AWS account settings and resources.

You can enable AWS MFA for your AWS account and for individual AWS Identity and Access Management (IAM) users you have created under your account.

Once you've obtained a supported hardware or virtual MFA device, AWS does not charge any additional fees for the use of AWS MFA.

Features of AWS MFA

You can require MFA authentication to:

  • Sign into the AWS Management Console
  • Access AWS service APIs and resources

Additional information about AWS Multi-Factor Authentication can be found in the AWS MFA FAQs.

Sign into the AWS Management
Console to enable MFA
Enable AWS MFA


Video: Getting Started with Multi-Factor Authentication

How to enable AWS MFA

AWS MFA supports both hardware and virtual MFA devices.

Virtual MFA Device Hardware MFA Device
Get device Find a AWS MFA compatible application Purchase Gemalto Device
Physical Form Factor Use your existing smartphone, tablet, or computer running any application that supports the open TOTP standard. Tamper-evident hardware keyfob device provided by Gemalto, a 3rd-party provider.
Price Free $12.99
Security Better Best
Features Support for multiple tokens on a single device. The same type of device used by many financial services and enterprise IT organizations.

Enable AWS MFA
Sign into the AWS Management Console to enable MFA


©2011, Amazon Web Services LLC or its affiliates. All rights reserved.