# Assign a passkey or security key in the AWS Management Console
Passkeys are a type of [multi-factor authentication (MFA) device](id_credentials_mfa.md) that you can use to protect your AWS resources. AWS supports synced passkeys and device-bound passkeys also known as security keys.
Synced passkeys allow IAM users to access their FIDO sign-in credentials on many of their devices, even new ones, without having to re-enroll every device on every account. Synced passkeys include first-party credential managers like Google, Apple, and Microsoft and third-party credential managers such as 1Password, Dashlane, and Bitwarden as a second factor. You can also use on-device biometrics (e.g., TouchID, FaceID) to unlock your chosen credential manager to use passkeys.
Alternatively, device-bound passkeys are bound to a FIDO security key that you plug into a USB port on your computer and then tap when prompted to securely complete the sign-in process. If you already use a FIDO security key with other services, and it has an [AWS supported configuration](id_credentials_mfa_fido_supported_configurations.md) (for example, the YubiKey 5 Series from Yubico), you can also use it with AWS. Otherwise, you need to purchase a FIDO security key if you want to use WebAuthn for MFA in AWS. Additionally, FIDO security keys can support multiple IAM or root users on the same device, enhancing their utility for account security. For specifications and purchase information for both device types, see [Multi-Factor Authentication](http://aws.amazon.com/iam/details/mfa/).
You can register up to **eight** MFA devices of any combination of the [currently supported MFA types](https://aws.amazon.com/iam/features/mfa/) with your AWS account root user and IAM users. With multiple MFA devices, you only need one MFA device to sign in to the AWS Management Console or create a session through the AWS CLI as that user. We recommend that you register multiple MFA devices. For example, you can register a built-in authenticator and also register a security key that you keep in a physically secure location. If you’re unable to use your built-in authenticator, then you can use your registered security key. For authenticator applications, we also recommend enabling the cloud backup or sync feature in those apps to help you avoid losing access to your account if you lose or break your device with the authenticator apps.
**Note**
We recommend that you require your human users to use temporary credentials when accessing AWS. Your users can federate into AWS with an identity provider where they authenticate with their corporate credentials and MFA configurations. To manage access to AWS and business applications, we recommend that you use IAM Identity Center. For more information, see the [IAM Identity Center User Guide](https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html).
**Topics**
+ [
## Permissions required
](#enable-fido-mfa-for-iam-user-permissions-required)
+ [
## Enable a passkey or security key for your own IAM user (console)
](#enable-fido-mfa-for-own-iam-user)
+ [
## Enable a passkey or security key for another IAM user (console)
](#enable-fido-mfa-for-iam-user)
+ [
## Replace a passkey or security key
](#replace-fido-mfa)
+ [
# Supported configurations for using passkeys and security keys
](id_credentials_mfa_fido_supported_configurations.md)
## Permissions required
To manage a FIDO passkey for your own IAM user while protecting sensitive MFA-related actions, you must have the permissions from the following policy:
**Note**
The ARN values are static values and are not an indicator of what protocol was used to register the authenticator. We have deprecated U2F, so all new implementations use WebAuthn.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AllowManageOwnUserMFA",
"Effect": "Allow",
"Action": [
"iam:DeactivateMFADevice",
"iam:EnableMFADevice",
"iam:GetUser",
"iam:ListMFADevices",
"iam:ResyncMFADevice"
],
"Resource": "arn:aws:iam::*:user/${aws:username}"
},
{
"Sid": "DenyAllExceptListedIfNoMFA",
"Effect": "Deny",
"NotAction": [
"iam:EnableMFADevice",
"iam:GetUser",
"iam:ListMFADevices",
"iam:ResyncMFADevice"
],
"Resource": "*",
"Condition": {
"BoolIfExists": {
"aws:MultiFactorAuthPresent": "false"
}
}
}
]
}
```
------
## Enable a passkey or security key for your own IAM user (console)
You can enable a passkey or security key for your own IAM user from the AWS Management Console only, not from the AWS CLI or AWS API. Before you can enable a security key, you must have physical access to the device.
**To enable a passkey or security key for your own IAM user (console)**
1. Use your AWS account ID or account alias, your IAM user name, and your password to sign in to the [IAM console](https://console.aws.amazon.com/iam).
**Note**
For your convenience, the AWS sign-in page uses a browser cookie to remember your IAM user name and account information. If you previously signed in as a different user, choose **Sign in to a different account** near the bottom of the page to return to the main sign-in page. From there, you can type your AWS account ID or account alias to be redirected to the IAM user sign-in page for your account.
To get your AWS account ID, contact your administrator.
1. In the navigation bar on the upper right, choose your user name, and then choose **Security credentials**.
![\[AWS Management Console Security credentials link\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/security-credentials-user.shared.console.png)
1. On the selected IAM user's page, choose the **Security credentials** tab.
1. Under **Multi-factor authentication (MFA)**, choose **Assign MFA device**.
1. On the **MFA device name** page, enter a **Device name**, choose **Passkey or Security Key**, and then choose **Next**.
1. On **Set up device**, set up your passkey. Create a passkey with biometric data like your face or fingerprint, with a device pin, or by inserting the FIDO security key into your computer's USB port and tapping it.
1. Follow the instructions on your browser and then choose **Continue**.
You have now registered your passkey or security key for use with AWS. For information about using MFA with the AWS Management Console, see [MFA enabled sign-in](console_sign-in-mfa.md).
## Enable a passkey or security key for another IAM user (console)
You can enable a passkey or security for another IAM user from the AWS Management Console only, not from the AWS CLI or AWS API.
**To enable a passkey or security for another IAM user (console)**
1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).
1. In the navigation pane, choose **Users**.
1. Under **Users**, choose the name of the user for whom you want to enable MFA.
1. On the selected IAM user page, choose the **Security Credentials** tab.
1. Under **Multi-factor authentication (MFA)**, choose **Assign MFA device**.
1. On the **MFA device name** page, enter a **Device name**, choose **Passkey or Security Key**, and then choose **Next**.
1. On **Set up device**, set up your passkey. Create a passkey with biometric data like your face or fingerprint, with a device pin, or by inserting the FIDO security key into your computer's USB port and tapping it.
1. Follow the instructions on your browser and then choose **Continue**.
You have now registered a passkey or security key for another IAM user to use with AWS. For information about using MFA with the AWS Management Console, see [MFA enabled sign-in](console_sign-in-mfa.md).
## Replace a passkey or security key
You can have up to eight MFA devices of any combination of the [ currently supported MFA types](https://aws.amazon.com/iam/features/mfa/) assigned to a user at a time with your AWS account root user and IAM users. If the user loses a FIDO authenticator or needs to replace it for any reason, you must first deactivate the old FIDO authenticator. Then you can add a new MFA device for the user.
+ To deactivate the device currently associated with an IAM user, see [Deactivate an MFA device](id_credentials_mfa_disable.md).
+ To add a new FIDO security key for an IAM user, see [Enable a passkey or security key for your own IAM user (console)](#enable-fido-mfa-for-own-iam-user).
If you don't have access to a new passkey or security key, you can enable a new virtual MFA device or hardware TOTP token. See one of the following for instructions:
+ [Assign a virtual MFA device in the AWS Management Console](id_credentials_mfa_enable_virtual.md)
+ [Assign a hardware TOTP token in the AWS Management Console](id_credentials_mfa_enable_physical.md)
# Supported configurations for using passkeys and security keys
You can use FIDO2 device-bound passkeys, also known as security keys, as a multi-factor authentication (MFA) method with IAM using currently supported configurations. These include FIDO2 devices supported by IAM and browsers that support FIDO2. Before you register your FIDO2 device, check that you’re using the latest browser and operating system (OS) version. Features may behave differently across different browsers, authenticators, and OS clients. If your device registration fails on one browser, you can try to register with another browser.
FIDO2 is an open authentication standard and an extension of FIDO U2F, offering the same high level of security based on public key cryptography. FIDO2 consists of the W3C Web Authentication specification (WebAuthn API) and the FIDO Alliance Client-to-Authenticator Protocol (CTAP), an application layer protocol. CTAP enables communication between client or platform, like a browser or operating system, with an external authenticator. When you enable a FIDO Certified authenticator in AWS, the security key creates a new key pair for use with only AWS. First, you enter your credentials. When prompted, you tap the security key, which responds to the authentication challenge issued by AWS. To learn more about the FIDO2 standard, see the [FIDO2 Project](https://en.wikipedia.org/wiki/FIDO2_Project).
## FIDO2 devices supported by AWS
IAM supports FIDO2 security devices that connect to your devices through USB, Bluetooth, or NFC. IAM also supports platform authenticators such as TouchID or FaceID. IAM does not support local passkey registration for Windows Hello. To create and use passkeys, Windows users should use [cross-device authentication](https://passkeys.dev/docs/reference/terms/#cross-device-authentication-cda) where you use a passkey from one device like a mobile device or hardware security key to sign in on another device like a laptop.
**Note**
AWS requires access to the physical USB port on your computer to verify your FIDO2 device. Security keys will not work with a virtual machine, a remote connection, or a browser's incognito mode.
The FIDO Alliance maintains a list of all [FIDO2 products](https://fidoalliance.org/certification/fido-certified-products/) that are compatible with FIDO specifications.
## Browsers that support FIDO2
The availability of FIDO2 security devices that run in a web browser depends on the combination of browser and operating system. The following browsers currently support the use of security keys:
****
| Web browser | macOS 10.15\$1 | Windows 10 | Linux | iOS 14.5\$1 | Android 7\$1 |
| --- | --- | --- | --- | --- | --- |
| Chrome | Yes | Yes | Yes | Yes | No |
| Safari | Yes | No | No | Yes | No |
| Edge | Yes | Yes | No | Yes | No |
| Firefox | Yes | Yes | No | Yes | No |
**Note**
Most Firefox versions that currently support FIDO2 don't enable support by default. For instructions on enabling FIDO2 support in Firefox, see [Troubleshoot Passkeys and FIDO Security Keys](troubleshoot_mfa-fido.md).
Firefox on macOS may not fully support cross-device authentication workflows for passkeys. You may get a prompt to touch a security key instead of proceeding with cross-device authentication. We recommend using a different browser, such as Chrome or Safari, for signing in with passkeys on macOS.
For more information about browser support for a FIDO2-Certified device like YubiKey, see [Operating system and web browser support for FIDO2 and U2F](https://support.yubico.com/hc/en-us/articles/360016615020-Operating-system-and-web-browser-support-for-FIDO2-and-U2F).
### Browser plugins
AWS supports only browsers that natively support FIDO2. AWS doesn't support using plugins to add FIDO2 browser support. Some browser plugins are incompatible with the FIDO2 standard and can cause unexpected results with FIDO2 security keys.
For information on disabling browser plugins and other troubleshooting tips, see [I can't enable my FIDO security key](troubleshoot_mfa-fido.md#troubleshoot_mfa-fido-cant-enable).
## Device certifications
We capture and assign device-related certifications, such as FIPS validation and FIDO certification level, only during the registration of a security key. Your device certification is retrieved from the [FIDO Alliance Metadata Service (MDS)](https://fidoalliance.org/metadata/). If the certification status or level of your security key changes, it will not be reflected in the device tags automatically. To update the certification information of a device, register the device again to fetch the updated certification information.
AWS provides the following certification types as condition keys during device registration, obtained from the FIDO MDS: FIPS-140-2, FIPS-140-3, and FIDO certification levels. You have the ability to specify the registration of specific authenticators in their IAM policies, based on your preferred certification type and level. For more information, see the policies below.
### Example policies for device certifications
The following use cases show sample policies that allow you to register MFA devices with FIPS certifications.
**Topics**
+ [
#### Use case 1: Allow registering only devices that have FIPS-140-2 L2 certifications
](#id_credentials_mfa_fido_certifications_policies_use_case_1)
+ [
#### Use case 2: Allow registering devices that have FIPS-140-2 L2 and FIDO L1 certifications
](#id_credentials_mfa_fido_certifications_policies_use_case_2)
+ [
#### Use case 3: Allow registering devices that have either FIPS-140-2 L2 or FIPS-140-3 L2 certifications
](#id_credentials_mfa_fido_certifications_policies_use_case_3)
+ [
#### Use case 4: Allow registering devices that have FIPS-140-2 L2 certification and support other MFA types like virtual authenticators and hardware TOTP
](#id_credentials_mfa_fido_certifications_policies_use_case_4)
#### Use case 1: Allow registering only devices that have FIPS-140-2 L2 certifications
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": "iam:EnableMFADevice",
"Resource": "*",
"Condition": {
"StringEquals": {
"iam:RegisterSecurityKey" : "Create"
}
}
},
{
"Effect": "Allow",
"Action": "iam:EnableMFADevice",
"Resource": "*",
"Condition": {
"StringEquals": {
"iam:RegisterSecurityKey" : "Activate",
"iam:FIDO-FIPS-140-2-certification": "L2"
}
}
}
]
}
```
------
#### Use case 2: Allow registering devices that have FIPS-140-2 L2 and FIDO L1 certifications
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": "iam:EnableMFADevice",
"Resource": "*",
"Condition": {
"StringEquals": {
"iam:RegisterSecurityKey" : "Create"
}
}
},
{
"Effect": "Allow",
"Action": "iam:EnableMFADevice",
"Resource": "*",
"Condition": {
"StringEquals": {
"iam:RegisterSecurityKey" : "Activate",
"iam:FIDO-FIPS-140-2-certification": "L2",
"iam:FIDO-certification": "L1"
}
}
}
]
}
```
------
#### Use case 3: Allow registering devices that have either FIPS-140-2 L2 or FIPS-140-3 L2 certifications
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": "iam:EnableMFADevice",
"Resource": "*",
"Condition": {
"StringEquals": {
"iam:RegisterSecurityKey" : "Create"
}
}
},
{
"Effect": "Allow",
"Action": "iam:EnableMFADevice",
"Resource": "*",
"Condition": {
"StringEquals": {
"iam:RegisterSecurityKey" : "Activate",
"iam:FIDO-FIPS-140-2-certification": "L2"
}
}
},
{
"Effect": "Allow",
"Action": "iam:EnableMFADevice",
"Resource": "*",
"Condition": {
"StringEquals": {
"iam:RegisterSecurityKey" : "Activate",
"iam:FIDO-FIPS-140-3-certification": "L2"
}
}
}
]
}
```
------
#### Use case 4: Allow registering devices that have FIPS-140-2 L2 certification and support other MFA types like virtual authenticators and hardware TOTP
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "iam:EnableMFADevice",
"Resource": "*",
"Condition": {
"StringEquals": {
"iam:RegisterSecurityKey": "Create"
}
}
},
{
"Effect": "Allow",
"Action": "iam:EnableMFADevice",
"Resource": "*",
"Condition": {
"StringEquals": {
"iam:RegisterSecurityKey": "Activate",
"iam:FIDO-FIPS-140-2-certification": "L2"
}
}
},
{
"Effect": "Allow",
"Action": "iam:EnableMFADevice",
"Resource": "*",
"Condition": {
"Null": {
"iam:RegisterSecurityKey": "true"
}
}
}
]
}
```
------
## AWS CLI and AWS API
AWS supports using passkeys and security keys only in the AWS Management Console. Using passkeys and security keys for MFA is not supported in the [AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/) and [AWS API](https://aws.amazon.com/tools/), or for access to [MFA-protected API operations](id_credentials_mfa_configure-api-require.md).
## Additional resources
+ For more information on using passkeys and security keys in AWS, see [Assign a passkey or security key in the AWS Management Console](id_credentials_mfa_enable_fido.md).
+ For help with troubleshooting passkeys and security keys in AWS, see [Troubleshoot Passkeys and FIDO Security Keys](troubleshoot_mfa-fido.md).
+ For general industry information on FIDO2 support, see [FIDO2 Project](https://en.wikipedia.org/wiki/FIDO2_Project).