Multi-Factor Authentication (MFA)

Multi-factor authentication adds a critical layer of security to your AWS identities. Even if a password or access key is compromised, MFA ensures that the attacker cannot gain access without the second authentication factor.

---

What is MFA?

MFA is a security mechanism that requires two or more independent forms of verification before granting access. The factors typically fall into three categories:

Factor Type	Description	Example
Something you know	A secret only you know	Password, PIN
Something you have	A physical device you possess	Phone, hardware token, security key
Something you are	A biometric characteristic	Fingerprint, facial recognition

In AWS, MFA combines your password (something you know) with a one-time code from a device (something you have). This means an attacker who steals your password still cannot access your account without also having your MFA device.

---

Why MFA is Critical in AWS

Consider the consequences of a compromised AWS account:

• Data breach — sensitive data in S3, RDS, or DynamoDB could be exposed.
• Resource abuse — an attacker could spin up expensive EC2 instances for cryptocurrency mining.
• Service disruption — production workloads could be deleted or modified.
• Compliance violations — regulatory requirements like PCI DSS, HIPAA, and SOC 2 mandate strong authentication.

MFA dramatically reduces the risk of these scenarios. AWS recommends enabling MFA for all IAM users, and it is mandatory for the root user as a security best practice.

---

MFA Device Types in AWS

AWS supports several types of MFA devices:

1. Virtual MFA Devices

Software applications that generate time-based one-time passwords (TOTP). Popular options include:

• Google Authenticator (iOS, Android)
• Authy (iOS, Android, Desktop)
• Microsoft Authenticator (iOS, Android)

These apps generate a new six-digit code every 30 seconds. When you sign in, you enter your password plus the current code from the app.

Pros: Free, easy to set up, no hardware needed. Cons: If the device is lost or wiped, you lose access (keep backup codes).

2. FIDO2 Security Keys

Physical hardware devices that support the FIDO2/WebAuthn standard. You plug them into a USB port or tap them against an NFC-enabled device.

Examples:

• YubiKey 5 Series
• Titan Security Key (Google)

Pros: Phishing-resistant, no codes to type, very secure. Cons: Costs money, easy to lose physically.

3. Hardware TOTP Tokens

Physical devices that display a TOTP code on a small screen. These are dedicated MFA devices — they do nothing else.

Example: Gemalto token (available from AWS).

Pros: Dedicated device, not vulnerable to phone-based attacks. Cons: Costs money, less convenient than a phone app.

---

Enabling MFA for the Root User

Enabling MFA on the root user is the single most important security step you can take after creating an AWS account.

Steps: