How to Enable a Virtual MFA Device for an IAM User

Last updated: May 29, 2026

Introduction

This guide walks you through enabling a virtual MFA device for an AWS IAM user via the AWS Management Console. Enabling MFA adds an extra layer of security by requiring a one-time password in addition to standard credentials.

You must have physical access to the device that will host the virtual MFA app before starting.

Prerequisites

  • Access to the AWS Management Console

  • Permission to manage IAM users

  • A virtual MFA app installed on your device (such as Google Authenticator, Authy, or Microsoft Authenticator)

Instructions

  1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/

  2. In the left navigation pane, choose Users.

  3. Select the name of the IAM user you want to configure MFA for.

  4. Choose the Security Credentials tab. Under the Multi-factor authentication (MFA) section, choose Assign MFA device.

  5. Enter a Device name, select Authenticator app, then choose Next.

  6. Open your virtual MFA app. If it supports multiple accounts, choose the option to add a new account or device.

  7. Link your MFA app using one of these methods:

    • Choose Show QR code in the wizard and scan it using your app's camera

    • Choose Show secret key and manually enter it into your app

  8. Once linked, your MFA app will start generating one-time passwords.

  9. On the Set up device page, enter the current code from your app in the MFA code 1 box. Wait up to 30 seconds for the next code, then enter it in the MFA code 2 box.

  10. Choose Add MFA to complete the setup.

Expected Outcome

The virtual MFA device will now be associated with the IAM user. On subsequent logins, the user will be prompted to enter a one-time password from their MFA app.

Troubleshooting

MFA device is out of sync — This happens when too much time passes between generating the codes and submitting them. TOTP codes expire quickly, so submit immediately after generating both codes. If the device is already associated but out of sync, resync it via the IAM console under the same Security Credentials tab.

QR code will not scan — Use the manual secret key option instead. Choose Show secret key in the wizard and type it directly into your MFA app.

No MFA code being generated — Ensure your MFA app is correctly set up and that your device clock is accurate. TOTP codes depend on synchronized time between your device and AWS.