添加虚拟MFA或硬件MFA

To enhance the security of your AWS account, adding a virtual Multi-Factor Authentication (MFA) device is a recommended step. With AWS, you can either add a virtual MFA to your root account or to an individual Identity and Access Management (IAM) user. This additional layer of security ensures that your account remains protected against unauthorized access.

添加虚拟MFA

Virtual authenticator apps implement the time-based one-time password (TOTP) algorithm and support multiple tokens on a single device. Virtual authenticators are supported for IAM users in the AWS GovCloud (US) Regions and in other AWS Regions. For more information about enabling virtual authenticators, see Enabling a virtual multi-factor authentication (MFA) device.

You can install apps for your smartphone from the app store that is specific to your type of smartphone. Some app providers also have web and desktop applications available. See the following table for examples.

Android	Twilio Authy Authenticator, Duo Mobile, Microsoft Authenticator, Google Authenticator, Symantec VIP
iOS	Twilio Authy Authenticator, Duo Mobile, Microsoft Authenticator, Google Authenticator, Symantec VIP

To add a virtual MFA device, see one of the following:

• Enable a virtual MFA device for your AWS account root user (console)

• Enable a virtual MFA device for an IAM user (console)

添加硬件MFA

需要首先购买一个硬件MFA，支持FIDO标准的安全密钥security key，或者TOTP token。FIDO Alliance维护了所有支持FIDO2标准的 FIDO2 products 清单。可以从该网站查询可用的安全密钥。推荐购买yubico的security key：https://www.yubico.com/sg/product/security-key-series/security-key-nfc-by-yubico-black/

然后将硬件MFA插到您所使用的电脑上，在控制台中配置，配置步骤如下：

To add a FIDO security key, see one of the following:

• Enable a FIDO security key for the AWS account root user (console)

• Enable a FIDO security key for another IAM user (console)

To add a hardware MFA device, see one of the following:

• Enable a hardware TOTP token for the AWS account root user (console).

• Enable a hardware TOTP token for another IAM user (console)

Hardware TOTP tokens

Hardware tokens also support the TOTP algorithm and are provided by Thales, a third-party provider. These tokens are for use exclusively with AWS accounts. For more information, see Enabling a hardware MFA device.

You can purchase these tokens directly from the manufacturers as a key fob or display card device.

Hardware TOTP tokens for the AWS GovCloud (US) Regions

Hardware TOTP tokens are compatible with the AWS GovCloud (US) Regions and are provided by Hypersecu, a third-party provider. These tokens are for use exclusively by IAM users with AWS GovCloud (US) accounts.

You can purchase these tokens directly from the manufacturer as a key fob.

https://aws.amazon.com/iam/features/mfa/