How to recover access to an Amazon Web Services (AWS) account if your MFA device is malfunctioning or lost
When setting up a new AWS account, one of the first things that AWS recommends that you do is to enable multi factor authentication on your AWS root user account. This is because MFA makes it more difficult for someone to gain unauthorized access to your AWS root user account as they would need your username, password and the MFA device to be able to sign into your account. However in the event that your MFA device gets lost, stolen or if you are using your phone as an MFA device and have accidentally uninstalled the app or erased the data on your phone without setting up an MFA app on a different smart phone, this tutorial provides a guide on how to recover access to your amazon web services (AWS) account in a few simple steps.
In order to complete this tutorial successfully the following items are required. Please ensure to have these items available before taking implementation action on this tutorial:
1) A working MFA device or MFA android / iOS mobile app
2) the username and password for your root AWS account
3) email and phone number that was used when the AWS account was created
1) Go to aws.amazon.com and enter the username and password for your AWS root user account
2) When you get to the MFA sign in step click on TROUBLESHOOT MFA > SIGN IN USING ALTERNATIVE MFA
3) Complete the 3 step account verification process using the email address and phone number that you used when you created your AWS account
4) In the IAM Management console, remove your old MFA physical / virtual device and add a new device.
1) Open a new web browser tab, and on the address bar, type aws.amazon.com and press ENTER. Click on the MY ACCOUNT > AWS MANAGEMENT CONSOLE.
2) Click on the ROOT USER option, enter the root user email address and click on NEXT.
3) Type in the password for your root user account on the PASSWORD field and click on SIGN IN
4) On the multi-factor authentication page, since you do not have the MFA device needed here, click on the TROUBLESHOOT MFA link.
5) Click on the SIGN IN USING ALTERNATIVE FACTOR button to start the process of signing in using alternative factors of authentication.
6) Click on the SEND VERIFICATION EMAIL button and this will send an email to the email address that you used when you signed up on AWS. Go to your email client, open the email and click on the email account verification URL.
The URL will direct your web browser to STEP 2: PHONE NUMBER VERIFICATION
7) On STEP 2: PHONE NUMBER VERIFICATION, click on the CALL ME NOW button, answer the call on your phone and enter the 6-digit code shown.
8) If you entered the 6-digit code correctly, a SIGN IN TO THE CONSOLE button will be shown on STEP 3: SIGN IN. Click on this button, and your web browser will redirect to your AWS MANAGEMENT CONSOLE and automatically opens the IAM SECURITY CREDENTIALS page.
9) Expand the MULTI-FACTOR AUTHENTICATION (MFA) drop down and on the list of MFA devices click on the MANAGE button.
10) On the MANAGE MFA DEVICE popup box, you will be asked to choose an action to perform on the MFA device for your root user account. Click on the REMOVE radio button and click on the REMOVE button.
11) Click on the ACTIVATE MFA button to start the process of adding a new MFA device.
12) Choose VIRTUAL MFA DEVICE if you intend to use an MFA app such as google authenticator and click on CONTINUE. If you intend to use a security key or any other type of hardware based MFA device click on the U2F SECURITY KEY option or the OTHER HARDWARE MFA DEVICE option.
In this case, the VIRTUAL MFA DEVICE option is chosen.
13) On the SET UP VIRTUAL MFA DEVICE step, click on SHOW QR CODE and open the MFA app on your device. Scan the QR CODE and type in two consecutive MFA code on the MFA CODE 1 and MFA CODE 2 input boxes then click on the ASSIGN MFA button.
14) Once the MFA DEVICE asignement process is complete you can sign out of the AWS MANAGEMENT CONSOLE and sign in using your new MFA device.