MFA for the root account

1.13 and 1.14 Identity and Access Management (AWS CIS Benchmark).


The root account is the most privileged user in an AWS account. MFA adds an extra layer of protection on top of a username and password used to access this account.

With MFA enabled, when a user signs in to an AWS website, they will be prompted for their username and password as well as for an authentication code from their AWS MFA device.

For Level 2, it is recommended that the root account be protected with a hardware MFA.

Establish virtual MFA/hardware MFA for the root account via the AWS Management Console

Step 1. Log in to the AWS Management Console and open the IAM console at

Note: To manage MFA devices for the root AWS account, you must use your root account credentials to sign in to AWS. You cannot manage MFA devices for the root account using other credentials.

Step 2. Click on Dashboard, and under "Security Status" expand "Activate MFA" on your root account.

Step 3. Click on Activate MFA.

Step 4.

a) Virtual MFA

In the wizard, click on A virtual MFA device and then click on Next Step.

b) Hardware MFA

In the wizard, click on A hardware MFA device and then click on Next Step.

Step 5.

a) Virtual MFA

IAM generates and displays configuration information for the virtual MFA device, including a QR code graphic. The graphic is a representation of the "secret configuration key" that is available for manual entry on devices that do not support QR codes.

b) Hardware MFA

In the "Serial Number" box, enter the serial number found on the back of the MFA device.

Step 6.

a) Virtual MFA

Open your virtual MFA application. For a list of apps that you can use for hosting virtual MFA devices, see "Virtual MFA Applications." If the virtual MFA application supports multiple accounts (multiple virtual MFA devices), choose the option to create a new account (a new virtual MFA device).

b) Hardware MFA

In the "Authentication Code 1" box, enter the six-digit number displayed by the MFA device. You might need to press the button on the front of the device to display the number. Wait 30 seconds while the device refreshes the code, and then enter the next six-digit number into the "Authentication Code 2" box. You might need to press the button on the front of the device again to display the second number.

Step 7.

a) Virtual MFA

Determine whether the MFA app supports QR codes, and then do one of the following:

  • Use the app to scan the QR code. For example, you might choose the camera icon or choose an option similar to Scan code. Then, use the device's camera to scan the code.
  • In the "Manage MFA Device" wizard, click on Show secret key for manual configuration. Then, type the secret configuration key into your MFA application. When you are finished, the virtual MFA device starts generating one-time passwords. Now,
    a) Go to the "Manage MFA Device" wizard,
    b) In the "Authentication Code 1" box, type the one time password that currently appears in the virtual MFA device,
    c) Wait up to 30 seconds for the device to generate a new one-time password,
    d) Type the second one-time password into the "Authentication Code 2" box,
    e) Choose Active Virtual MFA.

b) Hardware MFA

Click on Next Step. The MFA device is now associated with the AWS account. The next time you use your AWS account credentials to sign in, you will need to type in a code from the hardware MFA device.