Official path
Users → Security Credentials → Assign MFA device → Authenticator app → Show QR code → Add MFA Before you start
- Know whether you are setting up a root user or an IAM user.
- Save the QR code or the secret key before you leave the page.
- Prefer a security key or passkey when the account policy allows it.
Setup steps
- 01
Pick the correct identity
For IAM users, open Users, choose the user, and open Security Credentials. For root users, use the root account MFA path in the console.
- 02
Assign the MFA device
Choose Assign MFA device, then select Authenticator app.
- 03
Scan or reveal the secret
Use Show QR code or Show secret key, then add the token to your authenticator app.
- 04
Confirm with two codes
Enter MFA code 1 and MFA code 2, then choose Add MFA.
Recovery and backup
Try another MFA method
At sign-in, choose Try another MFA method or Troubleshoot MFA before you start a reset.
Resynchronize if the code drifts
Use Resynchronize virtual and hardware MFA devices if the token is correct but timing is off.
Use admin help when needed
If an IAM user loses the device, an administrator must deactivate the MFA device and let the user bind a new one.
Common problems
Security keys are preferred
AWS recommends security keys or passkeys before virtual MFA whenever the account policy allows it.
Different root and IAM recovery paths
Root sign-in recovery does not match IAM user recovery.
Fast code expiry
Virtual MFA codes expire quickly and can drift if the device clock is off.