AWS Multi-Factor Authentication (MFA) is the practice or requiring two or more forms of authentication to protect AWS resources. It is an added security feature available through Amazon Identity and Access Management (IAM) that strengthens username and password credentials.
It is considered a best practice for MFA to be used for a root account or for “highly-privileged” users who have access to sensitive resources. It can be used for cross-account access across multiple AWS accounts. This is helpful if your company has multiple accounts and a trusted user needs to access all of them.
For MFA to work, a virtual MFA device, either a virtual device that is able to install a time-based one-time password on like a smartphone, or a hardware device, must be assigned to the IAM user or root account. The MFA device should be used when accessing AWS resources or logging on to an AWS website. AWS doesn’t charge added fees to use MFA once an MFA device is obtained. Each user must have a unique device and proof of possession is required by providing a valid MFA code.
Once MFA is enabled, the user will be prompted for a username, password and authentication code from their AWS MFA device when signing in to an AWS website. Using multiple factors to login provides added security for AWS resources and account settings.
MFA can be enabled for each AWS account or for individual IAM users created under a specific account.
AWS Multi-Factor Authentication is available at no extra cost.