I’ve got access to numerous AWS accounts and typically use my phone as the MFA (Multi-Factor Authentication) device. That is a handy, secure, and cost-effective solution.
There is a specific case in which I do recommend using a hardware security token as the secondary MFA. I use it to protect access to the Root User of the AWS Management Account.
Let’s break this down:
✅ The Root User has unlimited permissions, can create and destroy any AWS infrastructure, and manage other users in that account.
✅ AWS Management Account manages other AWS Accounts within the Organization. It has the power to add/remove accounts and configure user access.
There is a risk that I will lose my MFA device (the phone). In that scenario, I can use the hardware security token to log in as the Root User into the AWS Management Account and use it to regain access to all AWS Accounts (for example, I will be able to configure my NEW phone as the new MFA device for AWS Users I use).
I depend on my phone for various daily activities because it is very convenient. Unfortunately, that device can be easily damaged or lost. Using the hardware security token gives me peace of mind (at least regarding the fallback access to the AWS infrastructure).
How do you secure access to your AWS Accounts? What kind of fallback mechanism are you using? Please use the feedback functionality to share your thoughts 👉