AWS Step-by-Step

Getting Started with MFA for AWS, Part 1

• By Brien Posey
• 01/02/2025

Recently, Amazon has begun requiring the use of multi-factor authentication (MFA) in order to log into your AWS account. While this probably sounds simple enough, setting up MFA can be somewhat challenging. That being the case, I wanted to take the opportunity to talk about the various MFA options that exist and show you the easiest way to set up MFA.

What are the MFA Options?
When you log into your AWS account using an account name and the corresponding password, AWS displays a screen similar to the one that is shown in Figure 1. As you can see in the figure, Amazon gives you three main MFA options.

As you look at the figure above, the first thing that you will probably notice is that you can provide an MFA device name. The device name is optional, but you can use it as a reminder to help you to remember which device you are using for MFA. After all, some accounts will inevitably be used more often than others, so it can be helpful to know which MFA device is associated with which account.

Beneath the Device Name field, you will see three different MFA options. The first option is to use a pass key or a security key. This is the option that I am going to be focusing on in this blog series, so I will come back to this one in Part 2. For right now, let's talk about the other MFA options.

The second option is to install an authenticator app. This is not a proprietary AWS app. Instead, AWS is designed to use third party authenticator apps, such as Google Authenticator, Duo Mobile, or Authy App. This option, which you can see in Figure 2, is primarily intended for use by those who run an authenticator app on a smartphone or tablet. However, it is theoretically possible to use an authenticator app that is installed on a PC.

The third option for MFA is to use a hardware-based TOTP token. These tokens generate codes that can be leveraged by the authentication process.

Can You Opt Out of Using MFA?
To the best of my knowledge, there is no way to opt out of using MFA with AWS. However, if the device that you are using for MFA fails, then you can use your email account as a secondary form of authentication. In doing so, AWS sends a verification code to your mailbox. It is worth noting that this is not one of Amazon's preferred authentication types and the mailbox option seems to exist primarily as a troubleshooting option or an account unlock option.

Can You Change Your MFA Type?
If you configure MFA and then later decide that you want to use a different MFA type, you can make the switch. To do so, log into the AWS portal and then click on your account name in the upper right corner of the screen. This will cause the portal to display an account menu. Select the Security Credentials option from the menu and AWS will open the My Security Credentials page. The MFA portion of this screen lists your current MFA method. There are a series of buttons that you can use to resync your account, remove a MFA method, or to assign a new MFA device.

Conclusion
So now that I have talked about the various MFA options that Amazon provides for you, I want to follow up in Part 2 by showing you how to set up MFA using the Passkey or Security Key option. Even though this option is arguably the easiest to configure, weird things can and sometimes do happen. As such, I will be showing you a workaround that I used when MFA failed.