By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

How do you make 2FA work on both an AWS account and an Amazon consumer account?

1

The scenario:

  • Both my Amazon consumer account (the one I use when I log in to amazon.com to buy stuff) and my AWS root account use the same email address.
  • 2FA can be enabled on both the Amazon consumer account and the AWS root account independently.

When 2FA is enabled on both amazon.com and AWS, this is the behavior:

  • Logging into amazon.com requires the TOTP configured for the MFA device connected to the Amazon consumer account. This is expected.
  • Logging into the AWS console with the root account requires both the TOTP from the MFA device connected to the Amazon consumer account, and the TOTP from the MFA device connected to the AWS root account. Each TOTP is asked for one after the other, with different web pages. Only when both are entered can you proceed to the console. This is unexpected.

When 2FA is enabled on only the AWS root account, this is the behavior:

  • Logging into the AWS console with the root account requires only the TOTP from the MFA device connected to the AWS root account. This is expected.
  • Logging into the Amazon consumer account requires the TOTP from the MFA device connected to the AWS root account. This is unexpected.

How do I set up 2FA on both accounts and have them be independent of the other account? This behavior is bizarre.

Topics
AWS Well-Architected Framework
Tags
SecurityMulti-factor Authentication
Language
English
amoffat
asked 2 years ago101 views
No Answers

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content