How to recover AWS account access if the MFA device is lost
It is recommended to enable Multifactor Authentication (MFA) for your AWS account. MFA is used to secure your AWS account, it adds an extra layer of security to the account. When you log in to your account you are asked to enter an MFA code which acts as an extra layer of security.
In case you lost your MFA device or the device is not functioning you may not able to enter the MFA code. In such a case you will need to disable MFA for the account.
In this article, we will see the steps to disable MFA if you have lost your device and you are not able to enter the MFA code while logging into the account. To disable the MFA you will need your username and password in hand. Note that this article demonstrates the steps to disable your MFA authentication for the root user associated with email and phone number. If the phone number is not associated with your account then you will need to contact AWS support.
Once you reset and disable the MFA for your account it is advisable to again enable the MFA to keep your account secure.
- AWS Account(Create if you don’t have one).
- MFA Enabled for the Account(Click here to learn to enable MFA for the AWS account).
What will we do?
- Reset the MFA
Reset the MFA
Click here to go to the AWS Login page and enter your user name.
After you enter the username and password you'll be asked to enter the MFA code.
Since the MFA device is not available and you cannot enter the MFA code the option we have is to reset the MFA based authentication.
To reset the multifactor authentication click on "Troubleshoot MFA".
Now, you have two options.
- Re-sync MFA device with the AWS servers if your multifactor authentication device appears to be functioning properly and you are not able to sign in
- Sign in using alternative factors if your multifactor authentication device is lost, damaged or not working.
Here, assuming that your device is lost or damaged the only option available is to Sign in using alternative factors. Click on the "Sign in using alternative factors" button to proceed with the steps to disable the MFA authentication.
In Step 1, You will get an option to send a verification email on your email ID. You need to click on the "Send a verification email" button to receive an email in your inbox with a verification link.
Click on the link you received in your inbox.
When you click on the link you received, you will get a button in Step 2 that will send a call on your registered mobile number.
Upon receiving the call you need to enter the code displayed on your screen.
After the email address and phone number are verified, in Step 3 you will get an option to "Sign in to the Console" to sign in to the AWS console. You will be redirected to the "Your Security Credentials" page. On this page, you can click on "Deactivate" to disable the MFA authentication. In this way, you can disable your MFA authentication and when you try to log in you will not be asked to enter the MFA code.
It may happen that you do not receive a call in Step 2 from AWS. In such a case click on "AWS support" to send them a request to reset MFA authentication and the support team from AWS will call you. You can choose one of the problems from the options available in the drop-down list. You need to provide your email address, account number, phone number and your full name while submitting a request to AWS support.
If you lose your MFA device or the device is damaged you will not be able to enter the MFA code when you try to login into your account. In this article, we saw the steps to disable the MFA authentication if you have lost your device or the device is damaged. In this way, without having an MFA device you can disable the MFA authentication by verifying your email address and phone number. Once you disable the MFA authentication and get access to your account you can again set up your MFA authentication on your new device to improve the account security.