39

I already have Google authenticator installed in my iPhone and I'm using it to signin to my AWS root account. I want to add the ability to login with MFA using my Android phone as well, using a corresponding token-generator Android app.

Is it possible to add a second device and how exactly? Or is AWS root account MFA bind to one (virtual) device?

Ion
  • 1,033
  • 2
  • 13
  • 18

6 Answers6

38

AWS finally provides support for adding additional MFA devices.

As of November 16, 2022:

https://aws.amazon.com/blogs/security/you-can-now-assign-multiple-mfa-devices-in-iam

I'm leaving the old answer below for reference, but it should no longer be needed.

You can only have one MFA device tied to your root account. You would need to setup a separate IAM user account for your separate device.

From the FAQ:

Q. Can I have multiple authentication devices active for my AWS account? Yes. Each IAM user can have its own authentication device. However, each identity (IAM user or root account) can be associated with only one authentication device.

Update: So while it's not officially supported, here is one guy who claims he was able to register Google Authenticator on two devices by doing both at the exact same time with the same QR code. Granted he's not doing this with AWS, but it could be worth a try.

https://www.quora.com/Can-Google-Authenticator-be-used-on-multiple-devices

Update 2: I've started using Authy for MFA rather than Google Authenticator. One of the cool things Authy now supports is multi-devices for all your MFA tokens. I currently have my phone and my tablet setup with access to my AWS account using Authy Multi Device.

http://blog.authy.com/multi-device

jszobody
  • 28,495
  • 6
  • 61
  • 72
  • 8
    I have verified this, it works. If you keep the QR code on your screen and scan it with multiple devices, the codes match on all devices. – Jaap Haagmans Jan 17 '14 at 09:19
  • 3
    Regarding Authy multi-device setup, its important to note that on the second device you need to register with the MSISDN of your first device (you have essentially one "Authy phone number" for all of your devices). This wasn't obvious to me and took me a while to figure out. – Guss May 15 '14 at 08:35
  • 5
    I've also done this, but it wasn't necessary to have all devices in the same place at the same time - I scanned the QR code on a second device a few hours later and both devices then produced the same codes in sync. – Tom Jun 23 '14 at 10:52
  • I too am able to verify for the AWS root user account, enabling MFA provides a one-time use QR code that if scanned by multiple virtual MFA devices (Google Authenticator), will result in those virtual devices being synced. If MFA is turned off and back on, the process must be repeated. I do this with my counterpart as an operational backup. I'm using Google Authentictor, they are using Authy. – Rich Andrews Apr 14 '22 at 15:31
12

Here is the solution; When AWS MFA page shows the barcode, scan barcode from different devices (I've tried with 3) at the same time. They creates same code, filled form with same codes and it works.

code_ada
  • 874
  • 12
  • 25
  • I tried that and is not the same code on 2 devices.. Also you need to sync AWS with specific device (enter twice MFA code - 2 consecutive ones).. so this does NOT work. – Joe Mar 12 '20 at 17:40
  • @Joe. just scan the QR code on both applications, and enter the two consecutive ones from only one of them. both apps will work. the reason that both codes are **not** the same on both devices is that the algorithm is TOTP (the first T stands for time based) So if you were able to click on both apps exactly at the same time you would have exactly the ssame code on both apps, – gelonida May 07 '20 at 11:06
  • You don't have to scan **at the same time**. You just have to scan the same QR code. (See my answer) – gelonida May 07 '20 at 11:22
  • it worked for me: Authenticator, on 2 devices (iOS and Android). We scanned the code and the devices just shown the same code. – cristian Nov 08 '22 at 19:15
7

This is not really a new answer, but it tries to clarify and to explain a little better (or at least differently) why different virtual devices can be considered to be one virtual device

At the moment (2020-05-07) you cannot have two different authentification devices for the same user. (like more than one of the following: a U2F usb key / a virtual device / a hardware device)

However you can install the same virtual device application on multiple devices (mobile phones / tablets / PCs) if you initialize them all with the same initialisation code (QR code)

The Virtual MFA device is just the implementation of the TOTP algorithm ( https://en.wikipedia.org/wiki/Time-based_One-time_Password_algorithm )

each TOTP application has to be initialized with a 'secret' code (the QR code)

So if you scan the same QR code with different TOTP apps, then all of these apps can authenticate (they will behave indentical)

When initializing at AWS you are asked to enter two consecutive codes generated by your TOTP app. (Just enter them from any of the apps, that you initialized with the QR code. Or if you are really crazy. create one code with one app and then create another code with the other app. just enter the code that was generated first first)

Afterwards all virtual devices will work and are completely interchangable.

You could even 'archive' the QR code image in a safe place and add other virtual devices later (the QR code contains just the secret required to initialize the TOTP application). It does not expire.

From AWS Organizations documentation:

If you choose to use a virtual MFA application, then unlike our recommendation for the management account root user, for member accounts you can re-use a single MFA device for multiple member accounts. You can address geographic limitations by printing and securely storing the QR code used to configure the account in the virtual MFA application. Document the QR code's purpose, and seal and store it in accessible safes across the time zones you operate in, according to your information security policy. Then, when access is needed in a different geographic location, the local copy of the QR code can be retrieved and used to configure a virtual MFA app in the new location.

Adam Bennett
  • 326
  • 4
  • 8
gelonida
  • 5,327
  • 2
  • 23
  • 41
5

I actually tried using the same secret configuration key from AWS on an iPhone, iPad and an Android using Google Authenticator and they all worked fine. The same with what @Jaap did.

Bryan CS
  • 601
  • 6
  • 19
  • Yeap, I did it too. See also update 2 in the selected answer, Authy can help you as well. – Ion Mar 14 '14 at 23:34
4

In addition to the solutions above:

1) You cannot make a QR-code reappear after attaching an MFA device to AWS account. So if you need to add another virtual MFA device, delete the existing device, reattach it, and make a screenshot of the QR-code (or save Secret code) and then scan this QR-code with another device.

2) The QR-code is not expiring. I could use my code weeks after initialization.

Dzmitry Bahdanovich
  • 1,735
  • 2
  • 17
  • 34
1

You can export your accounts from Google Authenticator to another device without losing access to them from your current device.

I discovered this when I was upgrading my mobile device and found that my new device would show the exact same MFA codes as my current device at the same time.

  1. On your current MFA device, open Google Authenticator and tap "..." in upper right corner
  2. In the menu, select "Export accounts", then tap "Continue"
  3. You will see a list of accounts, so select the ones you want to enable on the new device and then tap "Export"
  4. You will be shown a QR code, which you then scan from the new device
LBC
  • 411
  • 3
  • 9