33

I already have Google authenticator installed in my iPhone and I'm using it to signin to my AWS root account. I want to add the ability to login with MFA using my Android phone as well, using a corresponding token-generator Android app.

Is it possible to add a second device and how exactly? Or is AWS root account MFA bind to one (virtual) device?

Ion
  • 973
  • 2
  • 12
  • 17

5 Answers5

32

You can only have one MFA device tied to your root account. You would need to setup a separate IAM user account for your separate device.

From the FAQ:

Q. Can I have multiple authentication devices active for my AWS account? Yes. Each IAM user can have its own authentication device. However, each identity (IAM user or root account) can be associated with only one authentication device.

Update: So while it's not officially supported, here is one guy who claims he was able to register Google Authenticator on two devices by doing both at the exact same time with the same QR code. Granted he's not doing this with AWS, but it could be worth a try.

https://www.quora.com/Can-Google-Authenticator-be-used-on-multiple-devices

Update 2: I've started using Authy for MFA rather than Google Authenticator. One of the cool things Authy now supports is multi-devices for all your MFA tokens. I currently have my phone and my tablet setup with access to my AWS account using Authy Multi Device.

http://blog.authy.com/multi-device

edmundoferreira
  • 27
  • 1
  • 7
jszobody
  • 26,350
  • 5
  • 57
  • 67
  • 8
    I have verified this, it works. If you keep the QR code on your screen and scan it with multiple devices, the codes match on all devices. – Jaap Haagmans Jan 17 '14 at 09:19
  • 3
    Regarding Authy multi-device setup, its important to note that on the second device you need to register with the MSISDN of your first device (you have essentially one "Authy phone number" for all of your devices). This wasn't obvious to me and took me a while to figure out. – Guss May 15 '14 at 08:35
  • 5
    I've also done this, but it wasn't necessary to have all devices in the same place at the same time - I scanned the QR code on a second device a few hours later and both devices then produced the same codes in sync. – Tom Jun 23 '14 at 10:52
9

Here is the solution; When AWS MFA page shows the barcode, scan barcode from different devices (I've tried with 3) at the same time. They creates same code, filled form with same codes and it works.

code_ada
  • 824
  • 10
  • 22
  • I tried that and is not the same code on 2 devices.. Also you need to sync AWS with specific device (enter twice MFA code - 2 consecutive ones).. so this does NOT work. – Joe Mar 12 '20 at 17:40
  • @Joe. just scan the QR code on both applications, and enter the two consecutive ones from only one of them. both apps will work. the reason that both codes are **not** the same on both devices is that the algorithm is TOTP (the first T stands for time based) So if you were able to click on both apps exactly at the same time you would have exactly the ssame code on both apps, – gelonida May 07 '20 at 11:06
  • You don't have to scan **at the same time**. You just have to scan the same QR code. (See my answer) – gelonida May 07 '20 at 11:22
4

I actually tried using the same secret configuration key from AWS on an iPhone, iPad and an Android using Google Authenticator and they all worked fine. The same with what @Jaap did.

Bryan CS
  • 561
  • 4
  • 19
  • Yeap, I did it too. See also update 2 in the selected answer, Authy can help you as well. – Ion Mar 14 '14 at 23:34
3

This is not really a new answer, but it tries to clarify and to explain a little better (or at least differently) why different virtual devices can be considered to be one virtual device

At the moment (2020-05-07) you cannot have two different authentification devices for the same user. (like more than one of the following: a U2F usb key / a virtual device / a hardware device)

However you can install the same virtual device application on multiple devices (mobile phones / tablets / PCs) if you initialize them all with the same initialisation code (QR code)

The Virtual MFA device is just the implementation of the TOTP algorithm ( https://en.wikipedia.org/wiki/Time-based_One-time_Password_algorithm )

each TOTP application has to be initialized with a 'secret' code (the QR code)

So if you scan the same QR code with different TOTP apps, then all of these apps can authenticate (they will behave indentical)

When initializing at AWS you are asked to enter two consecutive codes generated by your TOTP app. (Just enter them from any of the apps, that you initialized with the QR code. Or if you are really crazy. create one code with one app and then create another code with the other app. just enter the code that was generated first first)

Afterwards all virtual devices will work and are completely interchangable.

You could even 'archive' the QR code image in a safe place and add other virtual devices later (the QR code contains just the secret required to initialize the TOTP application). It does not expire.

gelonida
  • 4,440
  • 2
  • 14
  • 30
1

In addition to the solutions above:

1) You cannot make a QR-code reappear after attaching an MFA device to AWS account. So if you need to add another virtual MFA device, delete the existing device, reattach it, and make a screenshot of the QR-code (or save Secret code) and then scan this QR-code with another device.

2) The QR-code is not expiring. I could use my code weeks after initialization.

Dzmitry Bahdanovich
  • 1,375
  • 2
  • 12
  • 29