docs.aws.amazon.com
Open in
urlscan Pro
108.138.36.93
Public Scan
URL:
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_virtual.html
Submission: On July 20 via api from US — Scanned from DE
Submission: On July 20 via api from US — Scanned from DE
Form analysis 0 forms found in the DOM
Text Content
SELECT YOUR COOKIE PREFERENCES
We use essential cookies and similar tools that are necessary to provide our
site and services. We use performance cookies to collect anonymous statistics so
we can understand how customers use our site and make improvements. Essential
cookies cannot be deactivated, but you can click “Customize cookies” to decline
performance cookies.
If you agree, AWS and approved third parties will also use cookies to provide
useful site features, remember your preferences, and display relevant content,
including relevant advertising. To continue without accepting these cookies,
click “Continue without accepting.” To make more detailed choices or learn more,
click “Customize cookies.”
Accept all cookiesContinue without acceptingCustomize cookies
CUSTOMIZE COOKIE PREFERENCES
We use cookies and similar tools (collectively, "cookies") for the following
purposes.
ESSENTIAL
Essential cookies are necessary to provide our site and services and cannot be
deactivated. They are usually set in response to your actions on the site, such
as setting your privacy preferences, signing in, or filling in forms.
PERFORMANCE
Performance cookies provide anonymous statistics about how customers navigate
our site so we can improve site experience and performance. Approved third
parties may perform analytics on our behalf, but they cannot use the data for
their own purposes.
Allow performance category
Allowed
FUNCTIONAL
Functional cookies help us provide useful site features, remember your
preferences, and display relevant content. Approved third parties may set these
cookies to provide certain site features. If you do not allow these cookies,
then some or all of these services may not function properly.
Allow functional category
Allowed
ADVERTISING
Advertising cookies may be set through our site by us or our advertising
partners and help us deliver relevant marketing content. If you do not allow
these cookies, you will experience less relevant advertising.
Allow advertising category
Allowed
Blocking some types of cookies may impact your experience of our sites. You may
review and change your choices at any time by clicking Cookie preferences in the
footer of this site. We and selected third-parties use cookies or similar
technologies as specified in the AWS Cookie Notice.
CancelSave preferences
UNABLE TO SAVE COOKIE PREFERENCES
We will only store essential cookies at this time, because we were unable to
save your cookie preferences.
If you want to change your cookie preferences, try again later using the link in
the AWS console footer, or contact support if the problem persists.
Dismiss
Contact Us
English
Create an AWS Account
1. AWS
2. ...
3. Documentation
4. AWS Identity and Access Management
5. User Guide
Feedback
Preferences
AWS IDENTITY AND ACCESS MANAGEMENT
USER GUIDE
* What is IAM?
* When do I use IAM
* How IAM works
* Users in AWS
* Permissions and policies in IAM
* What is ABAC?
* Security features outside IAM
* Quick links to common tasks
* IAM console search
* Working with AWS SDKs
* Getting set up
* Your AWS account ID and its alias
* Find your AWS account ID
* About account aliases
* Creating, deleting, and listing an AWS account alias
* Getting started
* Tutorials
* Grant access to the billing console
* Delegate access across AWS accounts using roles
* Create a customer managed policy
* Use attribute-based access control (ABAC)
* Use SAML session tags for ABAC
* Permit users to manage their credentials and MFA settings
* Identities
* Users
* Adding a user
* Controlling user access to the console
* How IAM users sign in to AWS
* Using MFA devices with your IAM sign-in page
* Managing users
* Changing permissions for a user
* Managing passwords
* Changing the root user password
* Setting a password policy
* Managing user passwords
* Permitting IAM users to change their own passwords
* How an IAM user changes their own password
* Access keys
* Retrieving lost passwords or access keys
* Multi-factor authentication (MFA)
* Enabling MFA devices
* Enabling a virtual MFA device (console)
* Enabling a FIDO security key (console)
* Supported configurations for using FIDO security keys
* Enabling a hardware TOTP token (console)
* Enabling and managing virtual MFA devices (AWS CLI or AWS API)
* Checking MFA status
* Resynchronizing virtual and hardware MFA devices
* Deactivating MFA devices
* What if an MFA device is lost or stops working?
* Configuring MFA-protected API access
* Sample code: MFA
* Finding unused credentials
* Getting credential reports
* Using IAM with CodeCommit
* Using IAM with Amazon Keyspaces
* Managing server certificates
* User groups
* Creating user groups
* Managing user groups
* Listing IAM user groups
* Adding and removing users in an IAM user group
* Attaching a policy to an IAM user group
* Renaming an IAM user group
* Deleting a user group
* Roles
* Terms and concepts
* Common scenarios
* Providing access across AWS accounts
* Providing access for non AWS workloads
* Providing access to third-party AWS accounts
* Using an external ID for third-party access
* Providing access to AWS services
* The confused deputy problem
* Providing access through identity federation
* Identity providers and federation
* About web identity federation
* Using Amazon Cognito for mobile apps
* Using web identity federation API operations for mobile apps
* Identifying users with web identity federation
* Additional resources for web identity federation
* About SAML 2.0 federation
* Creating IAM identity providers
* Creating OIDC identity providers
* Obtaining the thumbprint for an OIDC Identity Provider
* Creating IAM SAML identity providers
* Configuring relying party trust and claims
* Integrating third-party SAML solution providers with AWS
* Configuring SAML assertions for the authentication response
* Enable SAML 2.0 federated users to access the AWS console
* Enabling custom identity broker access to the AWS console
* Service-linked roles
* Creating roles
* Creating a role for an IAM user
* Creating a role for an AWS service
* Creating a role for identity federation
* Creating a role for web Identity/OIDC federation
* Creating a role for SAML 2.0 federation
* Creating a role using custom trust policies
* Examples of policies for delegating access
* Using roles
* Granting a user permissions to switch roles
* Granting permissions to pass a role to a service
* Switching roles (console)
* Switching roles (AWS CLI)
* Switching roles (Tools for Windows PowerShell)
* Switching roles (AWS API)
* Using roles for applications on Amazon EC2
* Using instance profiles
* Revoking role temporary credentials
* Managing roles
* Modifying a role
* Modifying a role (console)
* Modifying a role (AWS CLI)
* Modifying a role (AWS API)
* Deleting roles or instance profiles
* Tagging IAM resources
* Tagging IAM users
* Tagging IAM roles
* Tagging customer managed policies
* Tagging IAM identity providers
* Tagging OpenID Connect (OIDC) identity providers
* Tagging IAM SAML identity providers
* Tagging instance profiles
* Tagging server certificates
* Tagging virtual MFA devices
* Session tags
* Temporary security credentials
* Requesting temporary security credentials
* Using temporary credentials with AWS resources
* Controlling permissions for temporary security credentials
* Permissions for AssumeRole API operations
* Monitor and control actions taken with assumed roles
* Permissions for GetFederationToken
* Permissions for GetSessionToken
* Disabling permissions
* Granting permissions to create credentials
* Managing AWS STS in an AWS Region
* Using AWS STS interface VPC endpoints
* Using bearer tokens
* Sample applications that use temporary credentials
* Additional resources for temporary credentials
* AWS account root user
* Log events with CloudTrail
* Access management
* Policies and permissions
* Managed policies and inline policies
* Choosing managed or inline
* Getting started with managed policies
* Converting inline policy to managed
* Deprecated AWS managed policies
* Permissions boundaries
* Identity vs resource
* Controlling access using policies
* Control access to IAM users and roles using tags
* Control access to AWS resources using tags
* Cross account resource access
* Example policies
* AWS: Specific access during a date range
* AWS: Enable or disable AWS Regions
* AWS: Self-manage credentials with MFA (My security credentials)
* AWS: Specific access with MFA during a date range
* AWS: Self-manage credentials no MFA (My security credentials)
* AWS: Self-manage MFA device (My security credentials)
* AWS: Self-manage console password (My security credentials)
* AWS: Self-manage password, access keys, & SSH public keys (My
security credentials)
* AWS: Deny access based on requested Region
* AWS: Deny access based on source IP
* AWS: Deny access to Amazon S3 resources outside your account except
AWS Data Exchange
* Data Pipeline: Deny access to pipelines not created by user
* DynamoDB: Access specific table
* DynamoDB: Allow access to specific attributes
* DynamoDB: Allow item access based on a Amazon Cognito ID
* EC2: Attach or detach tagged EBS volumes
* EC2: Launch instances in a subnet (includes console)
* EC2: Manage security groups with the same tags (includes console)
* EC2: Start or stop instances a user has tagged (includes console)
* EC2: Start or stop instances based on tags
* EC2: Start or stop for matching tags
* EC2: Full access within a Region (includes console)
* EC2: Start or stop an instance, modify security group (includes
console)
* EC2: Requires MFA (GetSessionToken) for operations
* EC2: Limit terminating instances to IP range
* IAM: Access the policy simulator API
* IAM: Access the policy simulator console
* IAM: Assume tagged roles
* IAM: Allows and denies multiple services (includes console)
* IAM: Add specific tag to tagged user
* IAM: Add a specific tag
* IAM: Create only tagged users
* IAM: Generate credential reports
* IAM: Manage group membership (includes console)
* IAM: Manage a tag
* IAM: Pass a role to a service
* IAM: Read-only console access (no reporting)
* IAM: Read-only console access
* IAM: Specific users manage group (includes console)
* IAM: Setting account password requirements (includes console)
* IAM: Access the policy simulator API based on user path
* IAM: Access the policy simulator console based on user path
(includes console)
* IAM: MFA self-management
* IAM: Rotate credentials (includes console)
* IAM: View Organizations service last accessed information for a
policy
* IAM: Apply limited managed policies
* AWS: Deny access to resources outside your account except AWS
managed IAM policies
* Lambda: Service access to DynamoDB
* RDS: Full access within a Region
* RDS: Restore databases (includes console)
* RDS: Full access for tag owners
* S3: Access bucket if cognito
* S3: Access federated user home directory (includes console)
* S3: Full access with recent MFA
* S3: Access IAM user home directory (includes console)
* S3: Restrict management to a specific bucket
* S3: Read and write objects to a specific bucket
* S3: Read and write to a specific bucket (includes console)
* Managing IAM policies
* Creating IAM policies
* Creating IAM policies (console)
* Creating IAM policies (CLI)
* Creating IAM policies (API)
* Validating policies
* Generating policies
* Testing IAM policies
* Add or remove identity permissions
* Versioning IAM policies
* Editing IAM policies
* Deleting IAM policies
* Refining permissions using access information
* View IAM access information
* View access information for Organizations
* Example scenarios
* Understanding policies
* Policy summary (list of services)
* Access levels in policy summaries
* Service summary (list of actions)
* Action summary (list of resources)
* Example policy summaries
* Permissions required
* Example policies for IAM
* Code examples
* IAM examples
* Actions
* Add a user to a group
* Attach a policy to a role
* Attach a policy to a user
* Attach an inline policy to a role
* Create a SAML provider
* Create a group
* Create a policy
* Create a policy version
* Create a role
* Create a service-linked role
* Create a user
* Create an access key
* Create an alias for an account
* Create an inline policy for a group
* Create an inline policy for a user
* Delete SAML provider
* Delete a group
* Delete a group policy
* Delete a policy
* Delete a role
* Delete a role policy
* Delete a server certificate
* Delete a service-linked role
* Delete a user
* Delete an access key
* Delete an account alias
* Delete an inline policy from a user
* Detach a policy from a role
* Detach a policy from a user
* Generate a credential report
* Get a credential report
* Get a detailed authorization report for your account
* Get a policy
* Get a policy version
* Get a role
* Get a server certificate
* Get a service-linked role's deletion status
* Get a summary of account usage
* Get a user
* Get data about the last use of an access key
* Get the account password policy
* List SAML providers
* List a user's access keys
* List account aliases
* List groups
* List inline policies for a role
* List inline policies for a user
* List policies
* List policies attached to a role
* List roles
* List server certificates
* List users
* Remove a user from a group
* Update a server certificate
* Update a user
* Update an access key
* Upload a server certificate
* Scenarios
* Create a group and add a user
* Create a user and assume a role
* Create read-only and read-write users
* Manage access keys
* Manage policies
* Manage roles
* Manage your account
* Roll back a policy version
* AWS STS examples
* Actions
* Assume a role
* Get a session token
* Scenarios
* Assume an IAM role that requires an MFA token
* Construct a URL for federated users
* Get a session token that requires an MFA token
* Security
* AWS security credentials
* AWS security audit guidelines
* Data protection
* Logging and monitoring
* Compliance validation
* Resilience
* Infrastructure security
* Configuration and vulnerability analysis
* Security best practices and use cases
* Security best practices
* Business use cases
* AWS managed policies
* IAM Access Analyzer
* Findings for public and cross-account access
* How IAM Access Analyzer findings work
* Getting started with IAM Access Analyzer findings
* Working with findings
* Reviewing findings
* Filtering findings
* Archiving findings
* Resolving findings
* Supported resource types
* Settings
* Archive rules
* Monitoring with EventBridge
* Security Hub integration
* Logging with CloudTrail
* IAM Access Analyzer filter keys
* Using service-linked roles
* Preview access
* Previewing access in Amazon S3 console
* Previewing access with IAM Access Analyzer APIs
* IAM Access Analyzer policy validation
* Policy check reference
* IAM Access Analyzer policy generation
* IAM Access Analyzer policy generation and action last accessed support
* IAM Access Analyzer quotas
* Troubleshooting IAM
* General issues
* Access denied error messages
* IAM policies
* FIDO security keys
* IAM roles
* IAM and Amazon EC2
* IAM and Amazon S3
* SAML 2.0 federation
* Viewing a SAML response in your browser
* Reference
* Amazon Resource Names (ARNs)
* IAM identifiers
* IAM and AWS STS quotas
* Services that work with IAM
* Signing AWS API requests
* Signature Version 4 request elements
* Create a signed request
* Request signature examples
* Troubleshoot
* Policy reference
* JSON element reference
* Version
* Id
* Statement
* Sid
* Effect
* Principal
* NotPrincipal
* Action
* NotAction
* Resource
* NotResource
* Condition
* Condition operators
* Conditions with multiple keys or values
* Single-valued vs. multivalued condition keys
* Variables and tags
* Supported data types
* Policy evaluation logic
* Cross-account policy evaluation logic
* Policy grammar
* AWS managed policies for job functions
* Creating roles and attaching policies (console)
* Global condition keys
* IAM condition keys
* Actions, resources, and condition keys
* Resources
* Making HTTP query requests
* Document history
Enabling a virtual multi-factor authentication (MFA) device (console) - AWS
Identity and Access Management
AWSDocumentationAWS Identity and Access ManagementUser Guide
Permissions requiredEnable a virtual MFA device for an IAM user (console)Enable
a virtual MFA device for your AWS account root user (console)Replace or "rotate"
a virtual MFA device
ENABLING A VIRTUAL MULTI-FACTOR AUTHENTICATION (MFA) DEVICE (CONSOLE)
PDFRSS
You can use a phone or other device as a virtual multi-factor authentication
(MFA) device. To do this, install a mobile app that is compliant with RFC 6238,
a standards-based TOTP (time-based one-time password) algorithm. These apps
generate a six-digit authentication code. Because they can run on unsecured
mobile devices, virtual MFA might not provide the same level of security as FIDO
security keys. We do recommend that you use a virtual MFA device while waiting
for hardware purchase approval or while you wait for your hardware to arrive.
Most virtual MFA apps support creating multiple virtual devices, allowing you to
use the same app for multiple AWS accounts or users. You can register up to
eight MFA devices of any combination of the currently supported MFA types with
your AWS account root user and IAM users. With multiple MFA devices, you only
need one MFA device to sign in to the AWS Management Console or create a session
through the AWS CLI as that user.
For a list of virtual MFA apps that you can use, see Multi-Factor
Authentication. Note that AWS requires a virtual MFA app that produces a
six-digit OTP.
TOPICS
* Permissions required
* Enable a virtual MFA device for an IAM user (console)
* Enable a virtual MFA device for your AWS account root user (console)
* Replace or "rotate" a virtual MFA device
PERMISSIONS REQUIRED
To manage virtual MFA devices for your IAM user, you must have the permissions
from the following policy: AWS: Allows MFA-authenticated IAM users to manage
their own MFA device on the My security credentials page.
ENABLE A VIRTUAL MFA DEVICE FOR AN IAM USER (CONSOLE)
You can use IAM in the AWS Management Console to enable and manage a virtual MFA
device for an IAM user in your account. You can attach tags to your IAM
resources, including virtual MFA devices, to identify, organize, and control
access to them. You can tag virtual MFA devices only when you use the AWS CLI or
AWS API. To enable and manage an MFA device using the AWS CLI or AWS API, see
Enabling and managing virtual MFA devices (AWS CLI or AWS API). For more
information about tagging IAM resources, see Tagging IAM resources.
NOTE
You must have physical access to the hardware that will host the user's virtual
MFA device in order to configure MFA. For example, you might configure MFA for a
user who will use a virtual MFA device running on a smartphone. In that case,
you must have the smartphone available in order to finish the wizard. Because of
this, you might want to let users configure and manage their own virtual MFA
devices. In that case, you must grant users the permissions to perform the
necessary IAM actions. For more information and for an example of an IAM policy
that grants these permissions, see AWS: Allows MFA-authenticated IAM users to
manage their own MFA device on the My security credentials page.
TO ENABLE A VIRTUAL MFA DEVICE FOR AN IAM USER (CONSOLE)
1. Sign in to the AWS Management Console and open the IAM console at
https://console.aws.amazon.com/iam/.
2. In the navigation pane, choose Users.
3. In the Users list, choose the name of the IAM user.
4. Choose the Security Credentials tab. Under Multi-factor authentication
(MFA), choose Assign MFA device.
5. In the wizard, type a Device name, choose Authenticator app, and then choose
Next.
IAM generates and displays configuration information for the virtual MFA
device, including a QR code graphic. The graphic is a representation of the
"secret configuration key" that is available for manual entry on devices
that do not support QR codes.
6. Open your virtual MFA app. For a list of apps that you can use for hosting
virtual MFA devices, see Multi-Factor Authentication.
If the virtual MFA app supports multiple virtual MFA devices or accounts,
choose the option to create a new virtual MFA device or account.
7. Determine whether the MFA app supports QR codes, and then do one of the
following:
* From the wizard, choose Show QR code, and then use the app to scan the QR
code. For example, you might choose the camera icon or choose an option
similar to Scan code, and then use the device's camera to scan the code.
* From the wizard, choose Show secret key, and then type the secret key
into your MFA app.
When you are finished, the virtual MFA device starts generating one-time
passwords.
8. On the Set up device page, in the MFA code 1 box, type the one-time password
that currently appears in the virtual MFA device. Wait up to 30 seconds for
the device to generate a new one-time password. Then type the second
one-time password into the MFA code 2 box. Choose Add MFA.
IMPORTANT
Submit your request immediately after generating the codes. If you generate
the codes and then wait too long to submit the request, the MFA device
successfully associates with the user but the MFA device is out of sync.
This happens because time-based one-time passwords (TOTP) expire after a
short period of time. If this happens, you can resync the device.
The virtual MFA device is now ready for use with AWS. For information about
using MFA with the AWS Management Console, see Using MFA devices with your IAM
sign-in page.
ENABLE A VIRTUAL MFA DEVICE FOR YOUR AWS ACCOUNT ROOT USER (CONSOLE)
You can use the AWS Management Console to configure and enable a virtual MFA
device for your root user. To enable MFA devices for the AWS account, you must
be signed in to AWS using your root user credentials.
Before you enable MFA for your root user, review your account settings and
contact information to make sure that you have access to the email and phone
number. If your MFA device is lost, stolen, or not working, you can still sign
in as the root user by verifying your identity using that email and phone
number. To learn about signing in using these alternative factors of
authentication, see What if an MFA device is lost or stops working?.
TO CONFIGURE AND ENABLE A VIRTUAL MFA DEVICE FOR USE WITH YOUR ROOT USER
(CONSOLE)
1. Sign in to the AWS Management Console.
2. On the right side of the navigation bar, choose your account name, and
choose Security credentials. If necessary, choose Continue to Security
credentials.
3. In the Multi-Factor Authentication (MFA) section, choose Assign MFA device.
4. In the wizard, type a Device name, choose Authenticator app, and then choose
Next.
IAM generates and displays configuration information for the virtual MFA
device, including a QR code graphic. The graphic is a representation of the
secret configuration key that is available for manual entry on devices that
do not support QR codes.
5. Open the virtual MFA app on the device.
If the virtual MFA app supports multiple virtual MFA devices or accounts,
choose the option to create a new virtual MFA device or account.
6. The easiest way to configure the app is to use the app to scan the QR code.
If you cannot scan the code, you can type the configuration information
manually. The QR code and secret configuration key generated by IAM are tied
to your AWS account and cannot be used with a different account. They can,
however, be reused to configure a new MFA device for your account in case
you lose access to the original MFA device.
* To use the QR code to configure the virtual MFA device, from the wizard,
choose Show QR code. Then follow the app instructions for scanning the
code. For example, you might need to choose the camera icon or choose a
command like Scan account barcode, and then use the device's camera to
scan the QR code.
* In the Set up device wizard, choose Show secret key, and then type the
secret key into your MFA app.
IMPORTANT
Make a secure backup of the QR code or secret configuration key, or make
sure that you enable multiple MFA devices for your account. You can register
up to eight MFA devices of any combination of the currently supported MFA
types with your AWS account root user and IAM users. A virtual MFA device
might become unavailable, for example, if you lose the smartphone where the
virtual MFA device is hosted. If that happens and you are not able to sign
in to your account with no additional MFA devices attached to the user or
even by Recovering a root user MFA device, you will not be able to sign in
to your account and you will have to contact customer service to remove MFA
protection for the account.
The device starts generating six-digit numbers.
7. In the wizard, in the MFA code 1 box, type the one-time password that
currently appears in the virtual MFA device. Wait up to 30 seconds for the
device to generate a new one-time password. Then type the second one-time
password into the MFA code 2 box. Choose Add MFA.
IMPORTANT
Submit your request immediately after generating the code. If you generate
the codes and then wait too long to submit the request, the MFA device
successfully associates with the user but the MFA device is out of sync.
This happens because time-based one-time passwords (TOTP) expire after a
short period of time. If this happens, you can resync the device.
The device is ready for use with AWS. For information about using MFA with the
AWS Management Console, see Using MFA devices with your IAM sign-in page.
REPLACE OR "ROTATE" A VIRTUAL MFA DEVICE
You can register up to eight MFA devices of any combination of the currently
supported MFA types with your AWS account root user and IAM users. If the user
loses a device or needs to replace it for any reason, you must first deactivate
the old device. Then you can add the new device for the user.
* To deactivate the device currently associated with another IAM user, see
Deactivating MFA devices.
* To add a replacement virtual MFA device for another IAM user, follow the
steps in the procedure Enable a virtual MFA device for an IAM user (console)
above.
* To add a replacement virtual MFA device for the AWS account root user, follow
the steps in the procedure Enable a virtual MFA device for your AWS account
root user (console) earlier in this topic.
Javascript is disabled or is unavailable in your browser.
To use the Amazon Web Services Documentation, Javascript must be enabled. Please
refer to your browser's Help pages for instructions.
Document Conventions
Enabling MFA devices
Enabling a FIDO security key (console)
Did this page help you? - Yes
Thanks for letting us know we're doing a good job!
If you've got a moment, please tell us what we did right so we can do more of
it.
Did this page help you? - No
Thanks for letting us know this page needs work. We're sorry we let you down.
If you've got a moment, please tell us how we can make the documentation better.
Did this page help you?
Yes
No
Provide feedback
Next topic:Enabling a FIDO security key (console)
Previous topic:Enabling MFA devices
Need help?
* Try AWS re:Post
* Connect with an AWS IQ expert
PrivacySite termsCookie preferences
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved.
ON THIS PAGE
--------------------------------------------------------------------------------
* Permissions required
* Enable a virtual MFA device for an IAM user (console)
* Enable a virtual MFA device for your AWS account root user (console)
* Replace or "rotate" a virtual MFA device
DID THIS PAGE HELP YOU? - NO
Thanks for letting us know this page needs work. We're sorry we let you down.
If you've got a moment, please tell us how we can make the documentation better.
Feedback