Prompt users for MFA - AWS IAM Identity Center

Prompt users for MFA

You can enable secure access to the AWS access portal, IAM Identity Center integrated apps, and the AWS CLI by enabling multi-factor authentication (MFA).

Important

The instructions in this section apply to AWS IAM Identity Center. They do not apply to AWS Identity and Access Management (IAM). IAM Identity Center users, groups, and user credentials are different from IAM users, groups, and IAM user credentials. If you are looking for instructions on deactivating MFA for IAM users, see Deactivating MFA devices in the AWS Identity and Access Management User Guide.

Use the following steps to enable MFA in the IAM Identity Center console. Before you begin, we recommend that you understand the Available MFA types for IAM Identity Center.

Note

If you’re using an external IdP, the Multi-factor authentication section won't be available. Your external IdP manages MFA settings, rather than IAM Identity Center managing them.

To enable MFA
  1. Open the IAM Identity Center console.

  2. In the left navigation pane, choose Settings.

  3. On the Settings page, choose the Authentication tab.

  4. In the Multi-factor authentication section, choose Configure.

  5. On the Configure multi-factor authentication page, under Prompt users for MFA, choose one of the following authentication modes based on the level of security that your business needs:

    • Only when their sign-in context changes (context-aware)

      In this mode (the default), IAM Identity Center provides users the option to trust their device during sign-in. After a user indicates that they want to trust a device, IAM Identity Center prompts the user for MFA once and analyzes the sign-in context (such as device, browser, and location) for the user’s subsequent sign-ins. For subsequent sign-ins, IAM Identity Center determines if the user is signing in with a previously trusted context. If the user’s sign-in context changes, IAM Identity Center prompts the user for MFA in addition to their email address and password credentials.

      This mode provides ease of use for users who frequently sign in from their workplace, so they don’t need to complete MFA on every sign-in. They are only prompted for MFA if their sign-in context changes.

    • Every time they sign in (always-on)

      In this mode, IAM Identity Center requires that users with a registered MFA device will be prompted every time they sign in. You should use this mode if you have organizational or compliance policies that require your users to complete MFA every time they sign in to the AWS access portal. For example, PCI DSS strongly recommends MFA during every sign-in to access applications that support high-risk payment transactions.

    • Never (disabled)

      While in this mode, all users will sign in with their standard user name and password only. Choosing this option disables IAM Identity Center MFA.

      While MFA is disabled for your Identity Center directory for users, you can't manage MFA devices in their user details, and Identity Center directory users can't manage MFA devices from the AWS access portal.

      Note

      If you are already using RADIUS MFA with AWS Directory Service, and want to continue using it as your default MFA type, then you can leave the authentication mode as disabled to bypass MFA capabilities in IAM Identity Center. Changing from Disabled mode to Context-aware or Always-on mode will override the existing RADIUS MFA settings. For more information, see RADIUS MFA.

  6. Choose Save changes.

    Related Topics