1

I control multiple AWS accounts. I'd like to use MFA for the root logins.

I have a Gemalto hardware key fob from Amazon (docs) registered for MFA for the root account on one of them.

I tried to add MFA to a second account using the same key fob, but I got the message "The token serial number was not found.".

Can anyone confirm or deny whether it is possible to reuse the same key fob for MFA for multiple AWS accounts?

I have not been able to find anything about this scenario in Amazon's documentation, and the error message is ambiguous. Cryptographically it seems to me like it should work fine, as it's a time-based token, rather than a OTP chain.

Rich
  • 704
  • 14
  • 30

1 Answers1

3

Your logic seems sensible, but AWS doesn't support this.

Q. Can I use my authentication device with multiple AWS accounts?

No. The authentication device or mobile phone number is bound to an individual AWS identity (IAM user or root account). If you have a TOTP-compatible application installed on your smartphone, you can create multiple virtual MFA devices on the same smartphone. Each one of the virtual MFA devices is bound to a single identity, just like a hardware device. If you dissociate (deactivate) the authentication device, you can then reuse it with a different AWS identity. The authentication device cannot be used by more than one identity simultaneously.

https://aws.amazon.com/iam/faqs/

One possible rationale for their policy can be found in this answer to β€œIs Sharing the Same TOTP Across Multiple Servers Any Less Secure?”.

Community
  • 1
Michael - sqlbot
  • 22,658
  • 2
  • 63
  • 86
  • Thanks! Not sure why I didn't find that when I looked in the docs; it's right there in the main FAQ about 2FA :-) – Rich Feb 28 '17 at 11:03