Back to Basics - AWS Root User MFA
Setting up MFA on your AWS Root account adds crucial security by requiring a second authentication factor, protecting your account from unauthorized access.
Joseph Giacobbe
Amazon Employee
Published Jun 9, 2025
One of the biggest issues that I see when people enable MFA is there's only one version of that MFA token. Normally this would be on someones personal phone, which they are using an app like Google authenticator to facilitate this. Even if your account is just used for personal projects, having one copy of your MFA device can lead to headaches later on. If you lose access to your MFA devices, you'll have to go through a recovery process with AWS support. That is a less than ideal path and will have a lead time before you can regain access.
It's an AWS best practice to have multiple MFA devices to prevent situations like this.
3 - Copies of the MFA
2 - Copies within reach on different mediums
1 - Off-site copy
- 1 MFA token stored on a shared password manager vault
- Shared password manager vault meaning that multiple people at your company or within your family have access to it. Ensure the people that do have access are trusted actors.
- Make sure this is a shared vault, not just sharing the record. If you just share the record and the employee leaves the company, this could lead to loss of access to that MFA record
- 1 MFA token stored on a hardware device locked in an office cabinet
- 1 MFA token stored on a hardware device offsite in a secure place, like a bank lockbox
It's critical you document the process that you come up with. AWS best practices provides a high level view on what to strive for but everyone's method of execution will be slightly different.
- The prerequisites for setting up MFA
- Buying the hardware device, access to the password manager, setting up the record in the password manager, etc.
- The method of setting up MFA for AWS Root accounts
- Step by step process of configuring the MFA devices for the AWS Root account
- Process to take if a MFA device is lost or stolen
2. Separate the Root user password from the MFA token in your password manager. Then create separate admin groups where one only has permissions to the password and the other to MFA.
This article's scope only focused on MFA but in the real world, the entire account creation process should be documented. Ideally most of that process would be automated using IaC but some things cannot be handled with IaC, like MFA device setup.
To learn more about the most up to date best practices, check out the official documentation in the AWS IAM User Guide.
Any opinions in this post are those of the individual author and may not reflect the opinions of AWS.