How to add a Second MFA device?

Hello, Now that AWS has announced that they support multiple MFA devices, how do I go about actually adding one? When I click on Manage MFA device for my IAM user, I don't get any option to add a new MFA device. Enter image description here

kdambiec
a year ago
Currently it looks like it's available in some AWS Accounts but not all of them.
P7t
a year ago
Same problem. But only on my older accounts. The newer accounts do have the option to add multiple MFA devices.
geoffharcourt
a year ago
We are also seeing this issue on all of our IAM users, even when testing with the broadest IAM policy we're unable to add a second MFA for ourselves or another user.
MJ1821
a year ago
We're seeing the same issue on one of our accounts. All of our other accounts are working fine. We even tried the IAM policy change from the answer below.

Topics

Security, Identity, & Compliance

Tags

AWS Identity and Access Management

Language

English

kdambiec

asked a year ago575 views

2 Answers

Newest
Most votes
Most comments

According to AWS-support "not all accounts are yet eligible"

EXPERT

AndersB

answered a year ago

The policy that allows MFA to be configured uses the ${aws:username} variable and needs to be changed. Change "arn:aws:iam::*:mfa/${aws:username}" to "arn:aws:iam::*:mfa/*" to allow secondary MFA devices to be registered.

https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_iam_mfa-selfmanage.html

takakuni

answered a year ago

takakuni
a year ago
In my environment, the MFA device registration button appears after reloading the management console several times, perhaps because it is still cached.

If you have any other issues, please check if they are restricted by Permission Boundary or SCP in AWS Organizations. Additionally, make sure the account you are using is not for the AWS GovCloud (US) Region or AWS China Region.
MJ1821
a year ago
This is not a good policy change to make. I just tested and verified that it grants access for all users to manage any user's MFA devices.
Marc
a year ago
What @MJ1821 said.

We have a policy in place that allows users to manage their own MFA devices in the console, this only worked because the ARN for the device was automatically set to ...mfa/${aws:username} - now it's broken, because any name can be entered for the device and we'd have to use ...mfa/${aws:*} instead :(

Is there a way to fix this?
AndersB EXPERT
a year ago
The policy-thing is another issue than the original question but here it is:

The ARN of the device is arn:aws:iam::<accoutnumber>:<devicetype>/user/<username>/<givenname>-<random-if-u2f>

Where devicetype = mfa or u2f or <something else for TOTP hw-device> so policy should be arn:aws:iam:::mfa/${aws:username}/ AND arn:aws:iam:::u2f/${aws:username}/

Relevant content

Added MFA device to IAM Identity Center user, still says 0 devices, can't re-add
Accepted Answer
rePost-User-3789511
asked a year ago
Multiple MFA devices
rmcdonald-KPRC
asked 2 years ago
Cannot assign MFA device
kmbzdyk
asked 2 years ago
How to allow MFA self-management with custom MFA device names (multiple MFA)
pittoni-sd
asked a year ago
How do I reset a lost or broken MFA device for my AWS root user account?
AWS OFFICIALUpdated 2 years ago
How do I update my telephone number to reset my lost MFA device?
AWS OFFICIALUpdated a year ago
How do I reset my AWS root user account MFA device?
AWS OFFICIALUpdated 2 years ago
How do I remove a lost or broken MFA device from my AWS account?
AWS OFFICIALUpdated 2 years ago
How to maintain/upgrade your device authentication/authorization scheme when migrating to AWS IoT Core
EXPERT
Charlyscott237
published 6 months ago
AWS IoT Device Client UDS sensor example
EXPERT
Kai Dickman
published 8 months ago