Enabling MFA

For extra security, we recommend that you require multi-factor authentication (MFA) for all users in your account. With MFA, users have a device that generates a response to an authentication challenge. Both the user's credentials and the device-generated response are required to complete the sign-in process. If a user's password or access keys are compromised, your account resources are still secure because of the additional authentication requirement.

The response is generated in one of the following ways:

• Virtual and hardware MFA devices generate a code that you view on the app or device and then enter on the sign-in screen.

• U2F security keys generate a response when you tap the device. The user does not manually enter a code on the sign-in screen.

For privileged IAM users who are allowed to access sensitive resources or API operations, we recommend using U2F or hardware MFA devices.

For more information about MFA, see Using Multi-Factor Authentication (MFA) in AWS.

To learn how to configure MFA-protected API access for access keys, see Configuring MFA-Protected API Access.