July 1, 2025
Secure AWS Accounts with Multi-Factor Authentication (MFA)
Multi-Factor Authentication is one of the simplest ways to protect your AWS account. Passwords get leaked. Devices get stolen. MFA makes sure those risks don’t turn into breaches.
AWS now requires MFA for all root accounts, and most security teams already expect it for every user with elevated permissions. If you’re not enforcing it across your AWS environment, now is the time.
What’s New in 2025
- Root users must use MFA
AWS rolled out mandatory MFA for root users in all accounts, including both standalone and those under AWS Organizations. - Each user can have multiple MFA devices
You can register up to eight per person. That means users can have a backup device in case they lose access to their main one. - Passkeys are now supported
Passkeys work with biometrics and device-based authentication. They’re easier to use and harder to compromise than one-time codes. - SMS is no longer allowed for new MFA setups
AWS no longer supports new SMS-based MFA. Use an authenticator app, a hardware key, or a passkey instead. - You can manage MFA centrally
AWS Organizations now lets you enforce MFA and manage root access across all accounts in one place.
How to Set Up MFA in AWS
- Sign in to the AWS Console
- Go to IAM → Users → Security credentials
- Under the MFA section, choose “Assign MFA device”
- Pick your method: virtual app, hardware key, or passkey
- Follow the setup instructions
- Test the device to make sure it works
Best Practices
- Require MFA for all users, not just root
- Use hardware keys or passkeys for admins
- Register more than one device per user
- Avoid SMS, even for existing setups
- Use AWS Config or Security Hub to check for gaps
MFA has moved from recommendation to requirement. AWS is making it a default part of account security, and the tools are now flexible enough to make adoption straightforward. If you haven’t rolled it out across your environment yet, you’re behind.
