0
0
AWScloud~10 mins

Multi-factor authentication setup in AWS - Step-by-Step Execution

Choose your learning style9 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime
Process Flow - Multi-factor authentication setup
Start MFA Setup
User logs into AWS Console
Navigate to IAM User Settings
Select MFA Device Type
Activate MFA Device
Scan QR Code with Authenticator App
Enter MFA Codes Twice
MFA Device Enabled
User must enter MFA code on login
This flow shows the step-by-step process of setting up MFA for an AWS user, from login to enabling the device and requiring MFA on future logins.
Execution Sample
AWS
aws iam enable-mfa-device \
  --user-name Alice \
  --serial-number arn:aws:iam::123456789012:mfa/Alice \
  --authentication-code1 123456 \
  --authentication-code2 789012
This command enables a virtual MFA device for user Alice by providing two consecutive MFA codes from the authenticator app.
Process Table
StepActionInput/ConditionResult
1User logs into AWS ConsoleUser credentials correctAccess granted to console
2Navigate to IAM User SettingsUser selects own settingsIAM user page opens
3Select MFA Device TypeChoose virtual MFA deviceQR code generated
4Scan QR CodeUser scans with appApp linked to AWS account
5Enter MFA Code 1User inputs first 6-digit codeCode accepted
6Enter MFA Code 2User inputs second 6-digit codeCode accepted, device enabled
7MFA Device EnabledDevice linked to userFuture logins require MFA code
8User logs out and logs in againUser enters username and passwordPrompted for MFA code
9User enters MFA codeCorrect code enteredLogin successful
10User enters MFA codeIncorrect code enteredLogin denied
11ExitSetup completeMFA enforced on user login
💡 Setup completes after enabling MFA device and verifying codes; MFA required on future logins
Status Tracker
VariableStartAfter Step 4After Step 6After Step 7After Step 9
MFA Device StatusNot enabledLinked to appEnabledEnabledEnabled
User Login StateLogged outLogged inLogged inLogged outLogged in with MFA
MFA Code ValidityN/AN/AN/AN/AValid or Invalid depending on input
Key Moments - 3 Insights
Why do we need to enter two MFA codes during setup?
Entering two consecutive codes proves the authenticator app is synced correctly, as shown in steps 5 and 6 of the execution_table.
What happens if the user enters the wrong MFA code on login?
The login is denied as shown in step 10 of the execution_table, ensuring security by blocking access without correct MFA.
Is MFA required immediately after enabling the device?
Yes, after step 7, MFA is enforced on all future logins, as shown in steps 8 and 9.
Visual Quiz - 3 Questions
Test your understanding
Look at the execution_table, at which step is the MFA device officially enabled?
AStep 4
BStep 8
CStep 6
DStep 10
💡 Hint
Check the 'Result' column for when the device is marked as enabled.
According to variable_tracker, what is the MFA Device Status after Step 4?
AEnabled
BLinked to app
CNot enabled
DInvalid
💡 Hint
Look at the 'MFA Device Status' row under 'After Step 4' column.
If the user enters an incorrect MFA code at login, what is the expected result according to the execution_table?
ALogin denied
BPrompted to enter password again
CLogin successful
DMFA device disabled
💡 Hint
Refer to step 10 in the execution_table under 'Result'.
Concept Snapshot
Multi-factor authentication (MFA) adds a second step to AWS login.
Setup involves linking a virtual MFA device via QR code.
User must enter two consecutive codes to enable MFA.
After setup, MFA code is required on every login.
This improves account security by requiring something you know (password) and something you have (MFA device).
Full Transcript
This visual execution shows how to set up multi-factor authentication (MFA) for an AWS user. The user logs into the AWS console, navigates to their IAM settings, and selects a virtual MFA device. A QR code is generated and scanned with an authenticator app. The user then enters two consecutive MFA codes to verify and enable the device. Once enabled, future logins require the user to enter an MFA code along with their password. If the code is correct, login succeeds; if incorrect, login is denied. This process strengthens security by requiring two forms of verification.