Enable a passkey or security key for the root user (console)

You can configure and enable a passkey for your root user from the AWS Management Console only, not from the AWS CLI or AWS API.

To enable a passkey or security key for your root user (console)

Open the AWS Management Console and sign in using your root user credentials.

For instructions, see Sign in to the AWS Management Console as the root user in the AWS Sign-In User Guide.
On the right side of the navigation bar, choose your account name, and then choose Security credentials.
On your root user My security credentials page, under Multi-factor authentication (MFA), choose Assign MFA device.
On the MFA device name page, enter a Device name, choose Passkey or Security Key, and then choose Next.
On Set up device, set up your passkey. Create a passkey with biometric data like your face or fingerprint, with a device pin, or by inserting the FIDO security key into your computer's USB port and tapping it.
Follow the instructions on your browser to choose a passkey provider or where you want to store your passkey to use across your devices.
Choose Continue.

You have now registered your passkey for use with AWS. The next time you use your root user credentials to sign in, you must authenticate with your passkey to complete the sign-in process.

For help troubleshooting issues with your FIDO security key, see Troubleshoot FIDO security keys.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

MFA for the root user

Enable a virtual MFA device