To help combat the potential security risk mentioned in the preceding section, IAM has a feature known as MFA. This is recommended for any user that has an elevated set of permissions within your AWS account, and it is a security best practice to use MFA in your AWS root account.

MFA provides a second layer of authentication, following a user logging into your AWS account with a password. MFA will ask the user to enter a six-digit, randomized number, which will change very frequently; if the correct response is entered, then the user will be fully authenticated. This ensures that, should a password be compromised, there will be a second factor of authentication which is far harder to breach since the code is frequently changing.

There are many supported MFA devices that can be used with AWS, as you can see in the following table:

Setting MFA for a user is a simple process, and it is completed from within the IAM service, using the following steps:

1. Log in to your AWS account.
2. Select the IAM service from the service page.
3. Select Users from the menu, as follows:

4. Select the user that you would like to configure MFA for.

5. Select the Security credentials tab, as shown in the following screenshot:

6. You will notice that the Assigned MFA device reads No. Click on the pencil to the right of No to configure the setting.

7. Depending on your chosen MFA device, you will be asked to select either a virtual device or a physical device; afterwards, click on Next Step:

8. For the rest of this process, I am going to select the virtual MFA device and use the Google Authenticator app on my phone to complete the process.
9. Next, you will be presented with the following screen, showing a QR code that you can scan with the Google Authenticator app:

10. After scanning the image, the app will display a six-digit code, which I must then enter within the Authentication code 1 space. I must then wait for the six-digit number to change within the application, and then I must enter that new number within the Authentication code 2 space.  

11. Click on Activate virtual MFA.

12. Upon successful configuration, you will be shown the following message, stating that MFA has been successfully associated with your account:

The next time the user logs in to the AWS account with their username, they will be asked to enter their password as normal, and then they will be asked to enter the MFA six-digit number, which can be accessed using the MFA device that is used to configure the user: