How to enable and test MFA on the AWS root account

Topic: Accounts access

Enable multi-factor authentication on the AWS root user, verify the MFA device works, and confirm sign-in requires the second factor. Use this after securing the root account and before any break-glass procedure.

Intent: How-to

Quick answer

  • In IAM → Users → root → Security credentials, assign a virtual or hardware MFA device and complete the enrollment flow.
  • Sign out and sign in again as root; confirm the console prompts for the MFA code and rejects sign-in without it.
  • Store a backup code or second MFA method in a secure location for break-glass recovery.

Prerequisites

Steps

  1. Assign MFA to the root user

    Sign in as root, go to IAM → Users → root → Security credentials, and under MFA click Assign MFA device; choose virtual or hardware and complete the QR or serial setup.

  2. Verify MFA at sign-in

    Sign out, then sign in again as root; when prompted, enter the current MFA code and confirm you can access the console only with the code.

  3. Test rejection without MFA

    In an incognito or different browser, attempt sign-in as root and confirm that without the correct MFA code, sign-in is denied.

  4. Secure backup access

    Store backup codes or a second MFA method in a secure, offline location so designated responders can complete break-glass if the primary MFA is unavailable.

Summary

You will enable MFA on the AWS root account, confirm sign-in requires the second factor, and ensure backup access for break-glass. Use this guide right after securing the root account so root sign-in is always protected by MFA.

Prerequisites

  • Root account secured (no root access keys; see How to secure the AWS root account).
  • A virtual MFA app (e.g. Google Authenticator, Authy) or a compatible hardware MFA device.

Steps

Step 1: Assign MFA to the root user

  1. Sign in to the AWS Management Console as root at https://signin.aws.amazon.com/root.
  2. Open IAMUsersrootSecurity credentials.
  3. Under Multi-factor authentication (MFA), click Assign MFA device.
  4. Choose Virtual MFA device or Hardware MFA device. For virtual, scan the QR code with your authenticator app and enter two consecutive codes to complete enrollment.

Step 2: Verify MFA at sign-in

  1. Sign out of the console (top-right menu → Sign out).
  2. Sign in again as root with email and password. The console should prompt for your MFA code.
  3. Enter the current code from your MFA device and confirm you reach the console. This confirms MFA is enforced for root sign-in.

Step 3: Test rejection without MFA

  1. In a private/incognito window (or another browser), go to the root sign-in page and enter the root email and password.
  2. When prompted for MFA, enter a wrong code or skip; confirm that sign-in is denied. This verifies that root cannot be used without the correct second factor.

Step 4: Secure backup access

Store backup codes (if the MFA app provides them) or a second registered MFA device in a secure, offline location. Only designated break-glass responders should have access. Document the procedure in your break-glass runbook.

Verification

  • IAM → Users → root → Security credentials shows MFA device assigned.
  • Signing in as root always prompts for an MFA code and fails without the correct code.
  • Backup MFA or backup codes are stored securely and documented for break-glass.

Troubleshooting

“Invalid code” during enrollment — Ensure the device time is correct (NTP). Enter two consecutive codes; wait for the code to refresh between them if needed.

Lost MFA device — Use account recovery (root email and possibly AWS support). After recovering, assign a new MFA device and update backup storage.

Console does not prompt for MFA — Confirm you are signing in as root (root sign-in URL). Clear cache/cookies and try again; ensure MFA is shown as assigned in IAM.

Next steps

Continue to