Resynchronize virtual and hardware MFA devices
You can use AWS to resynchronize your virtual and hardware multi-factor authentication (MFA) devices. If your device is not synchronized when you try to use it, the sign-in attempt fails and IAM prompts you to resynchronize the device.
Note
FIDO security keys do not go out of sync. If a FIDO security key is lost or broken, you can deactivate it. For instructions on deactivating any MFA device type, see To deactivate an MFA device for another IAM user (console).
As an AWS administrator, you can resynchronize your IAM users' virtual and hardware MFA devices if they get out of synchronization.
If your AWS account root user MFA device is not working, you can resynchronize your device using the IAM console with or without completing the sign-in process. If you aren’t able to successfully resynchronize your device, you may need to de-associate and re-associate it. For more information on how to do this, see Deactivate an MFA device and AWS Multi-factor authentication in IAM.
Topics
Permissions required
To resynchronize virtual or hardware MFA devices for your own IAM user, you must have the permissions from the following policy. This policy does not allow you to create or deactivate a device.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowListActions", "Effect": "Allow", "Action": [ "iam:ListVirtualMFADevices" ], "Resource": "*" }, { "Sid": "AllowUserToViewAndManageTheirOwnUserMFA", "Effect": "Allow", "Action": [ "iam:ListMFADevices", "iam:ResyncMFADevice" ], "Resource": "arn:aws:iam::*:user/${aws:username}" }, { "Sid": "BlockAllExceptListedIfNoMFA", "Effect": "Deny", "NotAction": [ "iam:ListMFADevices", "iam:ListVirtualMFADevices", "iam:ResyncMFADevice" ], "Resource": "*", "Condition": { "BoolIfExists": { "aws:MultiFactorAuthPresent": "false" } } } ] }
Resynchronizing virtual and hardware MFA devices (IAM console)
You can use the IAM console to resynchronize virtual and hardware MFA devices.
To resynchronize a virtual or hardware MFA device for your own IAM user (console)
-
Use your AWS account ID or account alias, your IAM user name, and your password to sign in to the IAM console
. Note
For your convenience, the AWS sign-in page uses a browser cookie to remember your IAM user name and account information. If you previously signed in as a different user, choose Sign in to a different account near the bottom of the page to return to the main sign-in page. From there, you can type your AWS account ID or account alias to be redirected to the IAM user sign-in page for your account.
To get your AWS account ID, contact your administrator.
-
In the navigation bar on the upper right, choose your user name, and then choose Security credentials.
-
On the AWS IAM credentials tab, in the Multi-factor authentication (MFA) section, choose the radio button next to the MFA device and choose Resync.
-
Type the next two sequentially generated codes from the device into MFA code 1 and MFA code 2. Then choose Resync.
Important
Submit your request immediately after generating the codes. If you generate the codes and then wait too long to submit the request, the request appears to work but the device remains out of sync. This happens because time-based one-time passwords (TOTP) expire after a short period of time.
To resynchronize a virtual or hardware MFA device for another IAM user (console)
Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/
. -
In the navigation pane, choose Users, and then choose the name of the user whose MFA device needs to be resynchronized.
-
Choose the Security credentials tab. In the Multi-factor authentication (MFA) section, choose the radio button next to the MFA device and choose Resync.
-
Type the next two sequentially generated codes from the device into MFA code 1 and MFA code 2. Then choose Resync.
Important
Submit your request immediately after generating the codes. If you generate the codes and then wait too long to submit the request, the request appears to work but the device remains out of sync. This happens because time-based one-time passwords (TOTP) expire after a short period of time.
To resynchronize your root user MFA before signing in (console)
-
On the Amazon Web Services Sign In With Authentication Device page, choose Having problems with your authentication device? Click here.
Note
You might see different text, such as Sign in using MFA and Troubleshoot your authentication device. However, the same features are provided.
-
In the Re-Sync With Our Servers section, type the next two sequentially generated codes from the device into MFA code 1 and MFA code 2. Then choose Re-sync authentication device.
-
If necessary, type your password again and choose Sign in. Then complete the sign-in using your MFA device.
To resynchronize your root user MFA device after signing in (console)
-
Sign in to the IAM console
as the account owner by choosing Root user and entering your AWS account email address. On the next page, enter your password. Note
As the root user, you can't sign in to the Sign in as IAM user page. If you see the Sign in as IAM user page, choose Sign in using root user email near the bottom of the page. For help signing in as the root user, see Signing in to the AWS Management Console as the root user in the AWS Sign-In User Guide.
-
On the right side of the navigation bar, choose on your account name, and then choose Security credentials. If necessary, choose Continue to Security credentials.
-
Expand the Multi-factor authentication (MFA) section on the page.
-
Choose the radio button next to the device and choose Resync.
-
In the Resync MFA device dialog box, type the next two sequentially generated codes from the device into MFA code 1 and MFA code 2. Then choose Resync.
Important
Submit your request immediately after generating the codes. If you generate the codes and then wait too long to submit the request, the MFA device is successfully associated with the user, but the MFA device is out of sync. This happens because time-based one-time passwords (TOTP) expire after a short period of time.
Resynchronizing virtual and hardware MFA devices (AWS CLI)
You can resynchronize virtual and hardware MFA devices from the AWS CLI.
To resynchronize a virtual or hardware MFA device for an IAM user (AWS CLI)
At a command prompt, issue the aws iam resync-mfa-device command:
-
Virtual MFA device: Specify Amazon Resource Name (ARN) of device as the serial number.
aws iam resync-mfa-device --user-name
Richard
--serial-number arn:aws:iam::123456789012
:mfa/RichardsMFA
--authentication-code1123456
--authentication-code2987654
-
Hardware MFA device: Specify hardware device's serial number as serial number. The format is vendor-specific. For example, you can purchase a gemalto token from Amazon. Its serial number is typically four letters followed by four numbers.
aws iam resync-mfa-device --user-name
Richard
--serial-numberABCD12345678
--authentication-code1123456
--authentication-code2987654
Important
Submit your request immediately after generating the codes. If you generate the codes and then wait too long to submit the request, the request fails because the codes expire after a short time.
Resynchronizing virtual and hardware MFA devices (AWS API)
IAM has an API call that performs synchronization. In this case, we recommend that you give your virtual and hardware MFA device users permission to access this API call. Then build a tool based on that API call so your users can resynchronize their devices whenever they need to.
To resynchronize a virtual or hardware MFA device for an IAM user (AWS API)
-
Send the ResyncMFADevice request.