AWS MFA Setup (Root and IAM Users)
Enable MFA on your AWS root account and IAM users with a TOTP authenticator app. AWS requires MFA for root accounts - here's the full setup including IAM policy enforcement.
AWS calls it MFA (multi-factor authentication), not 2FA, but it’s the same thing. AWS has made MFA mandatory for root account users, and strongly recommends it for all IAM users. This isn’t optional security theater - a compromised AWS account can run up thousands of dollars in compute charges within hours, or expose production databases. If you manage infrastructure on AWS, MFA should be the first thing you configure.
This guide covers setting up a virtual MFA device (authenticator app) for both root accounts and IAM users.
Why This Matters
- Root accounts are god mode. The root user can do anything in your AWS account, including deleting all resources, changing billing, and locking out all other users. Protecting it with just a password is reckless.
- IAM users access production. Developers and ops engineers with IAM credentials have access to databases, storage, and compute. A compromised IAM user can exfiltrate data or destroy infrastructure.
- Financial exposure. A stolen AWS account is commonly used for cryptocurrency mining. Attackers spin up large EC2 instances across multiple regions. By the time you notice, the bill can be five figures.
- AWS detects and flags unprotected accounts. The AWS Security Hub and Trusted Advisor will flag root and IAM users without MFA as critical findings.
What You’ll Need
- AWS Management Console access (root or IAM user)
- A phone with an authenticator app (FactorCat, Google Authenticator, or any TOTP-compatible app). For a deeper comparison of how each handles multiple AWS accounts and IAM users, see the best authenticator app comparison.
Setting Up MFA on the Root Account
1. Sign in as Root
Go to console.aws.amazon.com and sign in with the root user email and password.
2. Open Security Credentials
Click your account name (top-right) → Security credentials. Or navigate directly to the IAM console → Dashboard → “Add MFA for root user.”
3. Assign MFA Device
Under Multi-factor authentication (MFA), click “Assign MFA device.”
Give your device a name (e.g., “My Phone” or “Root MFA”).
Select “Authenticator app” and click Next.
4. Scan the QR Code
AWS displays a QR code and a secret key.
Open your authenticator app:
- In FactorCat: Tap + → Scan QR Code. FactorCat adds the token and labels it “AWS (root)” based on the account info in the QR code.
- In other apps: Scan or enter the key manually.
5. Enter Two Consecutive Codes
This is where AWS differs from most services. AWS requires you to enter two consecutive 6-digit codes (not the same code twice - two different codes from two different 30-second windows).
- Wait for your authenticator app to show a code. Enter it in the “MFA code 1” field.
- Wait for the code to refresh (30 seconds). Enter the new code in the “MFA code 2” field.
- Click “Add MFA.”
If the codes are rejected, make sure your phone’s clock is accurate (Settings → Date & Time → “Set automatically”). TOTP is time-sensitive.
6. Done
MFA is now active on your root account. Store your root credentials securely and avoid using the root account for day-to-day work - create IAM users instead.
Setting Up MFA for IAM Users
If you’re an account administrator, you should enable (or require) MFA for all IAM users with console access.
For Individual IAM Users
- Sign in to the AWS Console
- Go to IAM → Users → select the user
- Click the Security credentials tab
- Under MFA device, click “Assign MFA device”
- Follow the same QR scan and two-code verification process as above
Requiring MFA for All IAM Users (Policy-Based)
You can create an IAM policy that denies all actions unless MFA is present. Attach this policy to a group that all users belong to:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyAllExceptMFASetupUnlessMFAd",
"Effect": "Deny",
"NotAction": [
"iam:CreateVirtualMFADevice",
"iam:EnableMFADevice",
"iam:ListMFADevices",
"iam:ResolveSSOProfile",
"sts:GetSessionToken"
],
"Resource": "*",
"Condition": {
"BoolIfExists": {
"aws:MultiFactorAuthPresent": "false"
}
}
}
]
}This allows users to set up their own MFA device, but blocks all other actions until they do.
Managing MFA for Multiple AWS Accounts
If you manage multiple AWS accounts (common with AWS Organizations), each root account needs its own MFA device. You can use the same authenticator app - just add each root account as a separate token.
In FactorCat, each AWS account appears as a separate token with the account alias or number in the label, so you can tell them apart at a glance. The browser extension uses domain matching to surface the right AWS account token when you’re signing in to that specific console.
CLI and SDK Access with MFA
MFA in the AWS Console doesn’t automatically protect CLI or SDK access. For programmatic access secured by MFA:
- Use
aws sts get-session-token --serial-number arn:aws:iam::ACCOUNT:mfa/DEVICE --token-code CODEto get temporary credentials - Or configure MFA enforcement in your IAM policies to require MFA for specific API actions
Tips
- Never use root for daily work. Create an IAM user with admin access and use that instead. Only sign in as root when absolutely necessary (billing changes, account closure, etc.).
- Separate MFA for root and IAM. Ideally, your root MFA token should be on a different device or stored more securely than your daily IAM MFA.
- Enable AWS CloudTrail. CloudTrail logs all API calls. If your account is compromised, CloudTrail is how you determine what happened.
- Set up billing alerts. Go to Billing → Budgets and set a monthly budget alert. This catches unauthorized usage early.
- Use AWS SSO/Identity Center for teams. Instead of individual IAM users, AWS Identity Center provides centralized access management with built-in MFA enforcement.
Next Steps
AWS is secured. Protect the rest of your infrastructure:
- Set up 2FA on GitHub - your code is as critical as your infrastructure
- Set up 2FA on Google - your email probably receives AWS alerts
- Set up 2FA on Coinbase - if you handle crypto, MFA is non-negotiable
Managing MFA tokens across multiple AWS accounts, GitHub, and a dozen other services? FactorCat keeps all your tokens organized, matches them to the right site automatically, and auto-fills codes in your browser. No more hunting for the right token in a list of 30.
Frequently asked questions
- Is MFA required for AWS root accounts?
Yes. AWS now mandates MFA on root accounts and enforces it: root sign-in without MFA is blocked. The requirement rolled out across regions in 2024-2025. AWS Security Hub and Trusted Advisor also flag IAM users without MFA as critical findings, even though IAM MFA is not yet mandatory.
- Why does AWS ask for two consecutive codes?
AWS enrolls a virtual MFA device by verifying you can generate two codes from different 30-second TOTP windows. This proves the secret is correctly seeded and your clock is in sync. Wait for the first code, enter it, wait for the code to refresh, then enter the second.
- Can I use Google Authenticator for AWS MFA?
Yes. AWS works with any TOTP-compatible authenticator app, including Google Authenticator, FactorCat, Authy, 1Password, and others. Compare the options if you manage multiple AWS accounts.
- Can I have multiple MFA devices on one AWS account?
Yes. As of 2022, AWS supports up to 8 MFA devices per IAM user and per root account. This is useful for redundancy (work phone + personal phone) or for backup hardware keys alongside a virtual MFA. The same TOTP secret can also be loaded into multiple authenticator apps if you want device-level redundancy from one enrollment.
- How do I require MFA for all IAM users via policy?
Attach an IAM policy that denies all actions unless
aws:MultiFactorAuthPresentis true. The policy in this guide allows users to set up their own MFA device, but blocks everything else until they do. Combined with AWS Identity Center, you can centralize MFA enforcement across an entire AWS Organization.