Enable Multi-Factor Authentication (MFA) – AWS IAM

What is MFA?

AWS Multi-Factor Authentication (MFA) is also known as 2-Step authentication. It provides an additional security to your AWS account. This helps an overall increase in security to secure your AWS account from unauthorized access. AWS lets you to enable MFA for IAM user or Root Account user. Each user has its own MFA configuration for the same account. With MFA setup, AWS would ask an IAM user to provide an unique authentication code on top of user id and password to sign-in into the user’s AWS account.

Types of MFA Devices

To setup MFA, you would need a MFA device. AWS allows you to enable only one MFA device per AWS account root user or IAM user. The various MFA devices are as follows

  • Virtual MFA Devices – This is basically a Software apps that needs to be installed on your mobile or other devices. AWS Virtual MFA device supports RFC 6238, s standard-based TOTP (time-based one-time password) algorithms. The list of Software apps that are supported are Authy, Duo Mobile, LastPass Authenticator, Microsoft Authenticator, Google Authenticator.
  • U2F Security Key – This is stand for Universal 2nd Factor Security Key. This is useful for accessing AWS Management Console using certain web browsers.
  • Hardware MFA Device – This is a hardware token device which generates a 6-digit numeric code based on a time-synchronized one-time password algorithm.
  • SMS text message-based MFA – With this, AWS send a 6-digit code to user’s mobile number via SMS during sign-in. This is available for IAM user only.

Enable MFA using Virtual MFA Device

We would enable MFA for an IAM user using Google Authenticator in this blog. If you don’t have any IAM user created, then refer Create IAM Users and Groups in AWS

1. Sign-in into AWS Console (link) and Open IAM Service

2. Go to IAM Dashboard and Click on your User

3. Go to Security Credentials

As you could see, MFA has not configured for the Admin IAM user yet.

4. Click on Manage and Select Virtual MFA device to continue

5. Set up MFA Virtual Device

  • In this step, you need to download a Software apps (Google Authenticator) in your phone.
  • Once the app is installed, you need scan the QR code
  • Provide two consecutive MFA codes for set up

6. Open Google Authenticator in your Phone

Now you need open the Google Authenticator and then scan the QR code from your mobile. The authenticator would generate two consecutive 6-digit codes like below

7. Click on Assign MFA

Once you clicked on Assign MFA, the successful MFA set up would look like below

7. Verify MFA Sign-in

You are done with MFA set up for your IAM Admin user. Now verify the sign-in using MFA

I hope this helps to set up Virtual MFA device for an IAM user in AWS.

Please comment below for any questions related to this blog.

Leave a Reply

%d bloggers like this: