How to Set Up 2FA (MFA) on AWS with an Authenticator App
Step-by-step guide to enabling MFA on your AWS root account and IAM users using a TOTP authenticator app. AWS requires MFA for root — here's how to set it up properly.
AWS calls it MFA (multi-factor authentication), not 2FA, but it’s the same thing. AWS has made MFA mandatory for root account users, and strongly recommends it for all IAM users. This isn’t optional security theater — a compromised AWS account can run up thousands of dollars in compute charges within hours, or expose production databases. If you manage infrastructure on AWS, MFA should be the first thing you configure.
This guide covers setting up a virtual MFA device (authenticator app) for both root accounts and IAM users.
Why This Matters
- Root accounts are god mode. The root user can do anything in your AWS account, including deleting all resources, changing billing, and locking out all other users. Protecting it with just a password is reckless.
- IAM users access production. Developers and ops engineers with IAM credentials have access to databases, storage, and compute. A compromised IAM user can exfiltrate data or destroy infrastructure.
- Financial exposure. A stolen AWS account is commonly used for cryptocurrency mining. Attackers spin up large EC2 instances across multiple regions. By the time you notice, the bill can be five figures.
- AWS detects and flags unprotected accounts. The AWS Security Hub and Trusted Advisor will flag root and IAM users without MFA as critical findings.
What You’ll Need
- AWS Management Console access (root or IAM user)
- A phone with an authenticator app (FactorCat, Google Authenticator, or any TOTP-compatible app)
Setting Up MFA on the Root Account
1. Sign in as Root
Go to console.aws.amazon.com and sign in with the root user email and password.
2. Open Security Credentials
Click your account name (top-right) → Security credentials. Or navigate directly to the IAM console → Dashboard → “Add MFA for root user.”
3. Assign MFA Device
Under Multi-factor authentication (MFA), click “Assign MFA device.”
Give your device a name (e.g., “My Phone” or “Root MFA”).
Select “Authenticator app” and click Next.
4. Scan the QR Code
AWS displays a QR code and a secret key.
Open your authenticator app:
- In FactorCat: Tap + → Scan QR Code. FactorCat adds the token and labels it “AWS (root)” based on the account info in the QR code.
- In other apps: Scan or enter the key manually.
5. Enter Two Consecutive Codes
This is where AWS differs from most services. AWS requires you to enter two consecutive 6-digit codes (not the same code twice — two different codes from two different 30-second windows).
- Wait for your authenticator app to show a code. Enter it in the “MFA code 1” field.
- Wait for the code to refresh (30 seconds). Enter the new code in the “MFA code 2” field.
- Click “Add MFA.”
If the codes are rejected, make sure your phone’s clock is accurate (Settings → Date & Time → “Set automatically”). TOTP is time-sensitive.
6. Done
MFA is now active on your root account. Store your root credentials securely and avoid using the root account for day-to-day work — create IAM users instead.
Setting Up MFA for IAM Users
If you’re an account administrator, you should enable (or require) MFA for all IAM users with console access.
For Individual IAM Users
- Sign in to the AWS Console
- Go to IAM → Users → select the user
- Click the Security credentials tab
- Under MFA device, click “Assign MFA device”
- Follow the same QR scan and two-code verification process as above
Requiring MFA for All IAM Users (Policy-Based)
You can create an IAM policy that denies all actions unless MFA is present. Attach this policy to a group that all users belong to:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyAllExceptMFASetupUnlessMFAd",
"Effect": "Deny",
"NotAction": [
"iam:CreateVirtualMFADevice",
"iam:EnableMFADevice",
"iam:ListMFADevices",
"iam:ResolveSSOProfile",
"sts:GetSessionToken"
],
"Resource": "*",
"Condition": {
"BoolIfExists": {
"aws:MultiFactorAuthPresent": "false"
}
}
}
]
}This allows users to set up their own MFA device, but blocks all other actions until they do.
Managing MFA for Multiple AWS Accounts
If you manage multiple AWS accounts (common with AWS Organizations), each root account needs its own MFA device. You can use the same authenticator app — just add each root account as a separate token.
In FactorCat, each AWS account appears as a separate token with the account alias or number in the label, so you can tell them apart at a glance.
CLI and SDK Access with MFA
MFA in the AWS Console doesn’t automatically protect CLI or SDK access. For programmatic access secured by MFA:
- Use
aws sts get-session-token --serial-number arn:aws:iam::ACCOUNT:mfa/DEVICE --token-code CODEto get temporary credentials - Or configure MFA enforcement in your IAM policies to require MFA for specific API actions
Tips
- Never use root for daily work. Create an IAM user with admin access and use that instead. Only sign in as root when absolutely necessary (billing changes, account closure, etc.).
- Separate MFA for root and IAM. Ideally, your root MFA token should be on a different device or stored more securely than your daily IAM MFA.
- Enable AWS CloudTrail. CloudTrail logs all API calls. If your account is compromised, CloudTrail is how you determine what happened.
- Set up billing alerts. Go to Billing → Budgets and set a monthly budget alert. This catches unauthorized usage early.
- Use AWS SSO/Identity Center for teams. Instead of individual IAM users, AWS Identity Center provides centralized access management with built-in MFA enforcement.
Next Steps
AWS is secured. Protect the rest of your infrastructure:
- Set up 2FA on GitHub — your code is as critical as your infrastructure
- Set up 2FA on Google — your email probably receives AWS alerts
- Set up 2FA on Coinbase — if you handle crypto, MFA is non-negotiable
Managing MFA tokens across multiple AWS accounts, GitHub, and a dozen other services? FactorCat keeps all your tokens organized, matches them to the right site automatically, and auto-fills codes in your browser. No more hunting for the right token in a list of 30.