How do I troubleshoot MFA authentication failures for my AWS account root user?

3 minute read

I receive errors when I try to sign in to my AWS account root user with multi-factor authentication (MFA).

Resolution

MFA authentication failures can occur for several reasons. Use the following sections to troubleshoot your issue.

Resynchronize your virtual MFA device

Virtual MFA devices and hardware time-based, one-time passwords (TOTP) tokens generate codes based on a time-sensitive algorithm. If your device generates codes that are consistently rejected, then the device is out of sync with your AWS account. It's a best practice to use FIDO security keys because they don't go out of sync.

To resynchronize your virtual or hardware MFA device, see Resynchronize virtual and hardware MFA devices.

Verify the time on your virtual MFA device

Virtual MFA applications rely on the time-sensitive TOTP algorithm. If your device's clock isn't synched with the correct time, then the codes are invalid.

Activate automatic date and time settings on your mobile device, then verify the correct time zone configuration. After you update the time settings, generate a new code and try signing in again.

Use an alternate MFA device

If you have multiple MFA devices registered to your root user account, then you can use any registered device to sign in. It's a best practice to only register up to eight MFA devices.

To use another MFA device to sign in, see Recover an MFA protected identity in IAM.

Recover access when your MFA device is lost or broken

If your MFA device is lost, damaged, or not working and you don't have an alternate device, you can still recover access. Use the email and primary contact phone number registered with your AWS account to verify your identity.

Important: Before you try to recover, confirm you can access the email and primary contact phone number associated with your AWS account. If you need to update the primary contact phone number, then contact AWS Support.

To recover access to your root user account, see Recover an MFA protected identity in IAM.

Update your account phone number before recovery

If you no longer have access to the phone number registered with your account, then you can't use alternative authentication factors to recover access. Contact AWS Support for assistance.

Recover access for a member account in AWS Organizations

If your member account has centralized root access management active, then you can't recover access independently. Contact your management account administrator for assistance.

Change your root user password after recovery

After you regain access to your account, change your root user password.

Related information

AWS Multi-factor authentication in IAM

Deactivate an MFA device

Topics: Security, Identity, & Compliance
Tags: AWS IAM Identity Center
Language: English

AWS OFFICIALUpdated 2 months ago

No comments

Relevant content

Can't open my root because of mfa
Accepted Answer
rePost-User-0210446
asked 3 years ago
I can't authenticate the MFA on my root account.
Sopasta Papel e Embalagem
asked a year ago
MFA device reset for root user
Alex
asked a year ago
Unable to Access AWS Billing Console or Remove MFA Device Due to Lost Access to Root Account MFA Phone Number
acc
asked a year ago
Enable MFA for IAM users
Arjun Goel
asked 2 years ago
How do I troubleshoot IAM authentication failures and AWS Management Console access issues?
AWS OFFICIALUpdated 2 months ago
How do I resolve email and SMS MFA delivery failures in Amazon Cognito?
AWS OFFICIALUpdated 21 days ago
How do I reset a lost or broken MFA device for my IAM user or AWS account root user?
AWS OFFICIALUpdated 3 months ago
How do I reset my AWS account root user MFA device?
AWS OFFICIALUpdated 6 months ago
Securing the Cloud: The evolution and future of AWS root access management, MFA integration and MFA adoption timelines for enhanced security design
EXPERT
Harish Mandhadi
published a year ago