Help us improve the AWS re:Post Knowledge Center by sharing your feedback in a brief survey. Your input can influence how we create and update our content to better support your AWS journey.
How do I reset a lost or broken MFA device for my IAM user or AWS account root user?
I activated multi-factor authentication (MFA) for AWS Identity and Access Management (IAM) users or the AWS account root user. I need to reset a lost or broken MFA device, but I no longer have access to my AWS account root user.
Resolution
Follow these instructions to get access to your AWS account root user. Next, reset the MFA device.
Note: To reset an MFA device for an IAM user, follow the instructions for Recovering an IAM user MFA device.
Get access to your AWS root user account
If you have access to the root user email address and phone number, then follow the instructions for Recovering a root user MFA device.
If you have access to the root user email address but don't have access to the phone number, then see How do I update my telephone number to reset my lost MFA device?
If you need to reset or recover an AWS IAM or root user password, then see How do I recover a lost or forgotten AWS password?
If you need additional assistance, see Lost or unusable multi-factor authentication (MFA) device.
Reset a root user for a member account in AWS Organizations
To reset root user MFA for a member account in AWS Organizations, you can use centralized root access. From the management account, delete root user credentials. This removes the root user password, access keys, and signing certificates, and it deactivates MFA for the member account. After you delete the root user credentials, you can allow password recovery and sign in as a root user for the member account without MFA.
Reset the MFA device
Now that you have access to your root user account, you can reset the MFA device. The reset process varies based on the type of MFA you use:
- For a virtual MFA device, remove the account from your device. See Replace a virtual MFA device.
- For a FIDO security key, deactivate the old FIDO security key before you activate a new one. See Enable a passkey or security key for the root user (console)
- For a hardware TOTP token, contact the third-party provider for help with the repair or replacement of the device. You can continue to sign in with alternative factors of authentication until you receive your new device. After you have the new hardware MFA device, see Replace a physical MFA device.
For more information, see AWS Multi-factor authentication in IAM.
Related information
How do I use the AWS CLI to authenticate access to AWS resources with an MFA token?
Reset your AWS root account's lost MFA device faster by using the AWS Management Console
- Language
- English
This article was reviewed and updated on 2026-03-03.
Relevant content
- asked a year ago
- AWS OFFICIALUpdated 5 months ago
- AWS OFFICIALUpdated 2 months ago
- AWS OFFICIALUpdated 4 years ago