# MFA for Identity Center directory users
**Important**
MFA in IAM Identity Center is currently not supported for [external identity providers](https://docs.aws.amazon.com/singlesignon/latest/userguide/manage-your-identity-source-idp.html).
IAM Identity Center comes preconfigured with multi-factor authentication (MFA) turned on by default so that all users must sign in with MFA in addition to their user name and password. This ensures that users must sign in to the AWS access portal using the following two factors:
+ Their user name and password. This is the first factor and is something users know.
+ Either a code, security key, or biometrics. This is the second factor and is something users have (possession) or are (biometric). The second factor might be either an authentication code generated from their mobile device, a security key connected to their computer, or user’s biometric scan.
Together, these multiple factors provide increased security by preventing unauthorized access to your AWS resources unless a valid MFA challenge has been successfully completed.
Each user can register up to two virtual authenticator apps, which are one-time password authenticator applications installed on your mobile device or tablet, and six FIDO authenticators, which include built-in authenticators and security keys, for a total of **eight** MFA devices. Learn more about [Available MFA types for IAM Identity Center](mfa-types.md).
**Topics**
+ [
# Available MFA types for IAM Identity Center
](mfa-types.md)
+ [
# Configure MFA in IAM Identity Center
](mfa-configure.md)
+ [
# Register an MFA device for users
](how-to-register-device.md)
+ [
# Renaming and deleting MFA devices in IAM Identity Center
](how-to-manage-device.md)
# Available MFA types for IAM Identity Center
Multi-factor authentication (MFA) is a simple and effective mechanism to enhance the security of your users. A user’s first factor — their password — is a secret that they memorize, also known as a knowledge factor. Other factors can be possession factors (something you have, such as a security key) or inherence factors (something you are, such as a biometric scan). We strongly recommend that you configure MFA to add an additional layer of security to your account.
IAM Identity Center MFA supports the following device types. All MFA types are supported for both browser-based console access as well as using the AWS CLI v2 with IAM Identity Center.
+ [FIDO2 authenticators](#mfa-types-fido2), including built-in authenticators and security keys
+ [Virtual authenticator apps](#mfa-types-apps)
+ Your own [RADIUS MFA](#about-radius) implementation connected through AWS Managed Microsoft AD
A user can have up to **eight** MFA devices, which include up to two virtual authenticator apps and six FIDO authenticators, registered to one AWS account. You can also configure MFA settings to require MFA whenever they attempt to sign-in from a new device or browser, or when signing in from an unknown IP address. For more information about how to configure MFA settings for your users, see [Choose MFA types for user authentication](how-to-configure-mfa-types.md) and [Configure MFA device enforcement](how-to-configure-mfa-device-enforcement.md).
## FIDO2 authenticators
[FIDO2](https://fidoalliance.org/fido2/) is a standard that includes CTAP2 and [WebAuthn](https://www.w3.org/TR/webauthn-2/) and is based on public key cryptography. FIDO credentials are phishing-resistant because they are unique to the website that the credentials were created such as AWS.
AWS supports the two most common form factors for FIDO authenticators: built-in authenticators and security keys. See below for more information about the most common types of FIDO authenticators.
**Topics**
+ [
### Built-in authenticators
](#mfa-types-built-in-auth)
+ [
### Security keys
](#mfa-types-keys)
+ [
### Password managers, passkey providers, and other FIDO authenticators
](#mfa-types-other)
### Built-in authenticators
Many modern computers and mobile phones have built-in authenticators, such as TouchID on Macbook or a Windows Hello-compatible camera. If your device has a FIDO-compatible built-in authenticator, you can use your fingerprint, face, or device pin as a second factor.
### Security keys
Security keys are FIDO-compatible external hardware authenticators that you can purchase and connect to your device through USB, BLE, or NFC. When you’re prompted for MFA, you simply complete a gesture with the key’s sensor. Some examples of security keys include YubiKeys and Feitian keys, and the most common security keys create device-bound FIDO credentials. For a list of all FIDO-certified security keys, see [FIDO Certified Products](https://fidoalliance.org/certification/fido-certified-products/).
### Password managers, passkey providers, and other FIDO authenticators
Multiple third party providers support FIDO authentication in mobile applications, as features in password managers, smart cards with a FIDO mode, and other form factors. These FIDO-compatible devices can work with IAM Identity Center, but we recommend that you test a FIDO authenticator yourself before enabling this option for MFA.
**Note**
Some FIDO authenticators can create discoverable FIDO credentials known as passkeys. Passkeys may be bound to the device that creates them, or they may be syncable and backed up to a cloud. For example, you can register a passkey using Apple Touch ID on a supported Macbook, and then log in to a site from a Windows laptop using Google Chrome with your passkey in iCloud by following the on-screen prompts at sign-in. For more information about which devices support syncable passkeys and current passkey interoperability between operating systems and browsers, see [Device Support](https://passkeys.dev/device-support/) at [passkeys.dev](https://passkeys.dev/), a resource maintained by the FIDO Alliance And World Wide Web Consortium (W3C).
## Virtual authenticator apps
Authenticator apps are essentially one-time password (OTP)–based third party-authenticators. You can use an authenticator application installed on your mobile device or tablet as an authorized MFA device. The third-party authenticator application must be compliant with RFC 6238, which is a standards-based time-based one-time password (TOTP) algorithm capable of generating six-digit authentication codes.
When prompted for MFA, users must enter a valid code from their authenticator app within the input box presented. Each MFA device assigned to a user must be unique. Two authenticator apps can be registered for any given user.
### Tested authenticator apps
Any TOTP-compliant application will work with IAM Identity Center MFA. The following table lists well-known third-party authenticator apps to choose from.
| Operating system | Tested authenticator app |
| --- | --- |
| Android | [https://play.google.com/store/apps/details?id=com.authy.authy](https://play.google.com/store/apps/details?id=com.authy.authy), [https://play.google.com/store/apps/details?id=com.duosecurity.duomobile](https://play.google.com/store/apps/details?id=com.duosecurity.duomobile), [https://play.google.com/store/apps/details?id=com.azure.authenticator](https://play.google.com/store/apps/details?id=com.azure.authenticator), [https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2](https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2) |
| iOS | [https://apps.apple.com/us/app/authy/id494168017](https://apps.apple.com/us/app/authy/id494168017), [https://apps.apple.com/us/app/duo-mobile/id422663827](https://apps.apple.com/us/app/duo-mobile/id422663827), [https://apps.apple.com/us/app/microsoft-authenticator/id983156458](https://apps.apple.com/us/app/microsoft-authenticator/id983156458), [https://apps.apple.com/us/app/google-authenticator/id388497605](https://apps.apple.com/us/app/google-authenticator/id388497605) |
## RADIUS MFA
[Remote Authentication Dial-In User Service (RADIUS)](https://en.wikipedia.org/wiki/RADIUS) is an industry-standard client-server protocol that provides authentication, authorization, and accounting management so users can connect to network services. Directory Service includes a RADIUS client that connects to the RADIUS server upon which you have implemented your MFA solution. For more information, see [Enable Multi-Factor Authentication for AWS Managed Microsoft AD](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/ms_ad_mfa.html).
You can use either RADIUS MFA or MFA in IAM Identity Center for user sign-ins to the user portal, but not both. MFA in IAM Identity Center is an alternative to RADIUS MFA in cases where you want AWS native two-factor authentication for access to the portal.
When you enable MFA in IAM Identity Center, your users need an MFA device to sign in to the AWS access portal. If you had previously used RADIUS MFA, enabling MFA in IAM Identity Center effectively overrides RADIUS MFA for users who sign in to the AWS access portal. However, RADIUS MFA continues to challenge users when they sign in to all other applications that work with Directory Service, such as Amazon RDS for SQL Server.
If your MFA is **Disabled** on the IAM Identity Center console and you have configured RADIUS MFA with Directory Service, RADIUS MFA governs AWS access portal sign-in. This means that IAM Identity Center falls back to RADIUS MFA configuration if MFA is disabled.
# Configure MFA in IAM Identity Center
You can configure Multi-factor authentication (MFA) capabilities in IAM Identity Center when your identity source is configured with IAM Identity Center’s identity store, AWS Managed Microsoft AD, or AD Connector. MFA in IAM Identity Center is currently not supported for [external identity providers](https://docs.aws.amazon.com/singlesignon/latest/userguide/manage-your-identity-source-idp.html).
The following are general MFA recommendations, depending on your IAM Identity Center settings and organizational preferences.
+ Users are encouraged to register multiple backup authenticators for all enabled MFA types. This practice can prevent loss of access in case of a broken or misplaced MFA device.
+ Don't choose the **Require Them to Provide a One-Time Password Sent by Email** option if your users must sign in to the AWS access portal to access their email. For example, your users might use Microsoft 365 in the AWS access portal to read their email. In this case, users will not be able to retrieve the verification code and would be unable to sign in to the AWS access portal. For more information, see [Configure MFA device enforcement](how-to-configure-mfa-device-enforcement.md).
+ If you are already using RADIUS MFA that you configured with Directory Service, you do not need to enable MFA within IAM Identity Center. MFA in IAM Identity Center is an alternative to RADIUS MFA for Microsoft Active Directory users of IAM Identity Center. For more information, see [RADIUS MFA](mfa-types.md#about-radius).
+ The following YouTube video provides an overview of MFA and IAM Identity Center:
[](http://www.youtube.com/watch?v=https://www.youtube.com/embed/1iFvT8shnng?si=hpMeBAd85ypC3BTR)
**Topics**
+ [
# Prompt users for MFA
](mfa-getting-started.md)
+ [
# Choose MFA types for user authentication
](how-to-configure-mfa-types.md)
+ [
# Configure MFA device enforcement
](how-to-configure-mfa-device-enforcement.md)
+ [
# Allow users to register their own MFA devices
](how-to-allow-user-registration.md)
# Prompt users for MFA
You can use the following steps to determine how often workforce users are prompted for multi-factor authentication (MFA) whenever they attempt to sign-in to the AWS access portal. Before you begin, we recommend that you understand the [Available MFA types for IAM Identity Center](mfa-types.md).
**Important**
The instructions in this section apply to [AWS IAM Identity Center](https://aws.amazon.com/iam/identity-center/). They do not apply to [AWS Identity and Access Management](https://aws.amazon.com/iam/) (IAM). IAM Identity Center users, groups, and user credentials are different from IAM users, groups, and IAM user credentials. If you are looking for instructions on deactivating MFA for IAM users, see [Deactivating MFA devices](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_disable.html) in the *AWS Identity and Access Management User Guide*.
**Note**
If you’re using an external IdP, the **Multi-factor authentication** section will not be available. Your external IdP manages MFA settings, rather than IAM Identity Center managing them.
**To configure MFA**
1. Open the [IAM Identity Center console](https://console.aws.amazon.com/singlesignon).
1. In the left navigation pane, choose **Settings**.
1. On the **Settings** page, choose the **Authentication** tab.
1. In the **Multi-factor authentication** section, choose **Configure**.
1. On the **Configure multi-factor authentication** page, under **Prompt users for MFA**, choose one of the following authentication modes based on the level of security that your business needs:
+ **Every time they sign in (always-on)**
In this mode (the default setting), IAM Identity Center requires that users with a registered MFA device will be prompted every time they sign in. This is the most secure setting and ensures that your organizational or compliance policies are enforced by requiring that MFA be used every time they sign in to the AWS access portal. For example, PCI DSS strongly recommends MFA during every sign-in to access applications that support high-risk payment transactions.
+ **Only when their sign-in context changes (context-aware)**
In this mode, IAM Identity Center provides users the option to trust their device during sign-in. After a user indicates that they want to trust a device, IAM Identity Center prompts the user for MFA once and analyzes the sign-in context (such as device, browser, and location) for the user’s subsequent sign-ins. For subsequent sign-ins, IAM Identity Center determines if the user is signing in with a previously trusted context. If the user’s sign-in context changes, IAM Identity Center prompts the user for MFA in addition to their email address and password credentials.
This mode provides ease of use for users who frequently sign in from their workplace but is less secure then the **always-on** option. Users are only prompted for MFA if their sign-in context changes.
+ **Never (disabled)**
While in this mode, all users will sign in with their standard user name and password only. Choosing this option disables IAM Identity Center MFA and is not recommended.
While MFA is disabled for your Identity Center directory for users, you cannot manage MFA devices in their user details, and Identity Center directory users cannot manage MFA devices from the AWS access portal.
**Note**
If you are already using RADIUS MFA with Directory Service, and want to continue using it as your default MFA type, then you can leave the authentication mode as disabled to bypass MFA capabilities in IAM Identity Center. Changing from **Disabled** mode to **Context-aware** or **Always-on** mode will override the existing RADIUS MFA settings. For more information, see [RADIUS MFA](mfa-types.md#about-radius).
1. Choose **Save changes**.
**Related Topics**
+ [Choose MFA types for user authentication](how-to-configure-mfa-types.md)
+ [Configure MFA device enforcement](how-to-configure-mfa-device-enforcement.md)
+ [Allow users to register their own MFA devices](how-to-allow-user-registration.md)
# Choose MFA types for user authentication
Use the following procedure to choose the device types your users can authenticate with when prompted for multi-factor authentication (MFA) in the AWS access portal.
**To configure MFA types for your users**
1. Open the [IAM Identity Center console](https://console.aws.amazon.com/singlesignon).
1. In the left navigation pane, choose **Settings**.
1. On the **Settings** page, choose the **Authentication** tab.
1. In the **Multi-factor authentication** section, choose **Configure**.
1. On the **Configure multi-factor authentication** page, under **Users can authenticate with these MFA types** choose one of the following MFA types based on your business needs. For more information, see [Available MFA types for IAM Identity Center](mfa-types.md).
+ **Security keys and built-in authenticators**
+ **Authenticator apps**
1. Choose **Save changes**.
# Configure MFA device enforcement
Use the following procedure to determine whether your users must have a registered MFA device when signing in to the AWS access portal.
For more information about MFA in IAM, see [AWS Multi-factor authentication in IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa.html).
**To configure MFA device enforcement for your users**
1. Open the [IAM Identity Center console](https://console.aws.amazon.com/singlesignon).
1. In the left navigation pane, choose **Settings**.
1. On the **Settings** page, choose the **Authentication** tab.
1. In the **Multi-factor authentication** section, choose **Configure**.
1. On the **Configure multi-factor authentication** page, under **If a user does not yet have a registered MFA device** choose one of the following choices based on your business needs:
+ **Require them to register an MFA device at sign in**
This is the default setting when you first configure MFA for IAM Identity Center. Use this option when you want to require users who do not yet have a registered MFA device, to self-enroll a device during sign-in following a successful password authentication. This allows you to secure your organization’s AWS environments with MFA without having to individually enroll and distribute authentication devices to your users. During self-enrollment, your users can register any device from the available [Available MFA types for IAM Identity Center](mfa-types.md) you've previously enabled. After completing registration, users have the option to give their newly enrolled MFA device a friendly name, after which IAM Identity Center redirects the user to their original destination. If the user’s device is lost or stolen, you can simply remove that device from their account, and IAM Identity Center will require them to self-enroll a new device during their next sign-in.
+ **Require them to provide a one-time password sent by email to sign in**
Use this option when you want to have verification codes sent to users by email. Because email is not bound to a specific device, this option does not meet the bar for industry-standard multi-factor authentication. But it does improve security over having a password alone. Email verification will only be requested if a user has not registered an MFA device. If the **Context-aware** authentication method has been enabled, the user will have the opportunity to mark the device on which they receive the email as trusted. Afterward they will not be required to verify an email code on future logins from that device, browser, and IP address combination.
**Note**
If you are using Active Directory as your IAM Identity Center enabled identity source, the email address will always be based on the Active Directory `email` attribute. Custom Active Directory attribute mappings will not override this behavior.
+ **Block their sign-in**
Use the **Block Their Sign-In** option when you want to enforce MFA use by every user before they can sign in to AWS.
**Important**
If your authentication method is set to **Context-aware** a user might select the **This is a trusted device** check box on the sign-in page. In that case, that user will not be prompted for MFA even if you have the **Block their sign in** setting enabled. If you want these users to be prompted, change your authentication method to **Always On**.
+ **Allow them to sign in**
Use this option to indicate that MFA devices are not required in order for your users to sign in to the AWS access portal. Users who chose to register MFA devices will still be prompted for MFA.
1. Choose **Save changes**.
# Allow users to register their own MFA devices
IAM Identity Center administrators can allow users to self-register their own MFA devices.
**To allow users to register their own MFA devices**
1. Open the [IAM Identity Center console](https://console.aws.amazon.com/singlesignon).
1. In the left navigation pane, choose **Settings**.
1. On the **Settings** page, choose the **Authentication** tab.
1. In the **Multi-factor authentication** section, choose **Configure**.
1. On the **Configure multi-factor authentication** page, under **Who can manage MFA devices**, choose **Users can add and manage their own MFA devices**.
1. Choose **Save changes**.
**Note**
After you set up self-registration for your users, you might want to send them a link to the procedure [Registering your device for MFABefore you begin](user-device-registration.md). This topic provides instructions on how to set up their own MFA devices.
# Register an MFA device for users
IAM Identity Center administrators can set up a new MFA device for access by a specific user in the IAM Identity Center console. Administrators must have physical access to the user's MFA device to register it. For example, if you configure MFA for a user who will use an MFA device running on a smartphone, you'll need physical access to the smartphone to complete the registration process. Alternatively, you can allow users to configure and manage their own MFA devices. For more information, see [Allow users to register their own MFA devices](how-to-allow-user-registration.md).
**To register an MFA device**
1. Open the [IAM Identity Center console](https://console.aws.amazon.com/singlesignon).
1. In the left navigation pane, choose **Users**. Choose a user in the list. Don't select the checkbox next to the user for this step.
1. On the user details page, choose the **MFA devices** tab, and then choose **Register MFA device**.
1. On the **Register MFA device** page, select one of the following MFA device types, and follow the instructions:
+ **Authenticator app**
1. On the **Set up the authenticator app** page, IAM Identity Center displays configuration information for the new MFA device, including a QR code graphic. The graphic is a representation of the secret key that is available for manual entry on devices that do not support QR codes.
1. Using the physical MFA device, do the following:
1. Open a compatible MFA authenticator app. For a list of tested apps that you can use with MFA devices, see [Virtual authenticator apps](mfa-types.md#mfa-types-apps). If the MFA app supports multiple accounts (multiple MFA devices), choose the option to create a new account (a new MFA device).
1. Determine whether the MFA app supports QR codes, and then do one of the following on the **Set up the authenticator app** page:
1. Choose **Show QR code**, and then use the app to scan the QR code. For example, you might choose the camera icon or choose an option similar to **Scan code**. Then use the device's camera to scan the code.
1. Choose **show secret key**, and then type that secret key into your MFA app.
**Important**
When you configure an MFA device for IAM Identity Center, we recommend that you save a copy of the QR code or secret key *in a secure place*. This can help if the assigned user loses the phone or has to reinstall the MFA authenticator app. If either of those things happen, you can quickly reconfigure the app to use the same MFA configuration. This avoids the need to create a new MFA device in IAM Identity Center for the user.
1. On the **Set up the authenticator app** page, under **Authenticator code**, type the one-time password that currently appears on the physical MFA device.
**Important**
Submit your request immediately after generating the code. If you generate the code and then wait too long to submit the request, the MFA device is successfully associated with the user. But the MFA device is out of sync. This happens because time-based one-time passwords (TOTP) expire after a short period of time. If this happens, you can resync the device.
1. Choose **Assign MFA**. The MFA device can now start generating one-time passwords and is now ready for use with AWS.
+ **Security key**
1. On the **Register your user's security key** page, follow the instructions given to you by your browser or platform.
**Note**
The experience here varies based on the different operating systems and browsers, so please follow the instructions displayed by your browser or platform. After your user's device has been successfully registered, you will be given the option to associate a friendly display name to your user's newly enrolled device. If you want to change this, choose **Rename**, enter the new name, and then choose **Save**. If you have enabled the option to allow users to manage their own devices, the user will see this friendly name in the AWS access portal.
# Renaming and deleting MFA devices in IAM Identity Center
IAM Identity Center administrators can use the following procedures to rename or delete a user's MFA device.
**To rename an MFA device**
1. Open the [IAM Identity Center console](https://console.aws.amazon.com/singlesignon).
1. In the left navigation pane, choose **Users**. Choose the user in the list. Don't select the checkbox next to the user for this step.
1. On the user details page, choose the **MFA devices** tab, select the device, and then choose **Rename**.
1. When prompted, enter the new name and then choose **Rename**.
**To delete an MFA device**
1. Open the [IAM Identity Center console](https://console.aws.amazon.com/singlesignon).
1. In the left navigation pane, choose **Users**. Choose the user in the list.
1. On the user details page, choose the **MFA devices** tab, select the device, and then choose **Delete**.
1. To confirm, type **DELETE**, and then choose **Delete**.