2FAA.app

How to Enable 2FA on AWS

A compromised AWS account doesn't just leak data — it runs up real money. AWS now requires MFA for root users on management accounts, and a 'virtual MFA device' is just standard TOTP: any authenticator app works, including 2FAA.

Quick path: AWS Console → account menu (top right) → Security credentials → Assign MFA device

Step-by-step: 2FA setup on AWS

  1. 1

    Open Security credentials

    Sign in to the AWS Console, click your account name at the top right, then 'Security credentials'. (For an IAM user: IAM → Users → select user → 'Security credentials' tab.)

  2. 2

    Assign an MFA device

    In the 'Multi-factor authentication (MFA)' section, click 'Assign MFA device'. Give it a name and choose 'Authenticator app'.

  3. 3

    Scan the QR code with 2FAA

    AWS shows a QR code ('Show QR code') and a secret key. Open 2FAA and scan it — a 6-digit AWS code starts rotating.

  4. 4

    Enter two consecutive codes

    AWS asks for two consecutive MFA codes to confirm sync: type the current code from 2FAA into the first box, wait ~30 seconds for it to rotate, then type the next code into the second box.

  5. 5

    Repeat for the root user and each IAM user

    MFA is per-identity. Secure the root account first (AWS requires it), then assign devices to IAM users — each gets its own QR code and its own entry in 2FAA.

Generate AWS 2FA codes with 2FAA

You don't need a separate authenticator app. 2FAA is a free, browser-based TOTP generator — your secret never leaves your device, and it works offline as a PWA. The same secret can be used in parallel with Google Authenticator or Authy if you prefer redundancy.

Open 2FAA AuthenticatorImport from Google Authenticator

Frequently asked questions

Why does AWS ask for two consecutive codes?

To verify that your authenticator's clock is in sync with AWS. Entering two codes in a row proves the device generates the correct sequence, not just one lucky match.

Is root MFA actually mandatory now?

Yes — since 2024, AWS has been enforcing MFA for root users, starting with management accounts in AWS Organizations and expanding to standalone accounts. Don't wait for the enforcement email.

How do I use MFA with the AWS CLI?

Call 'aws sts get-session-token --serial-number <mfa-arn> --token-code <code from 2FAA>' to get temporary credentials, or configure your profile with mfa_serial. For AI-driven automation, 2FAA's MCP server can supply the token code programmatically.

How many MFA devices can one AWS user have?

Up to 8 per user (root included). Registering a second device — e.g., 2FAA in the browser plus a hardware key — protects you against losing any single one.

Other 2FA setup guides

Discord 2FAEpic Games / Fortnite 2FARoblox 2FASpotify 2FAPayPal 2FATwitch 2FA