Upgrading your Multi-Factor Authentication

The use of Multi-Factor Authentication, or MFA, to access your Amazon Web Services management console is a best practice strategy.  We currently use MFA for all Managed Services clients at 2nd Watch.  Several Sr. Cloud Engineers recently updated their virtual MFA devices and had to rebuild their MFA associations.  This task can be daunting if performed after the fact.  Since the virtual Google Authenticator doesn’t have a supported export / import feature, we highly recommend the following before a device upgrade.


  1. For each AWS account, deactivate the current MFA virtual device.  To perform this task log into your AWS account using the Management Console, https://console.aws.amazon.com/
  2. Once logged in, navigate to the Security Credentials page under My Account / Console in the upper right corner of the Management Console, https://portal.aws.amazon.com/gp/aws/securityCredentials
  3. About halfway down the page is the Sign-In Credentials section where the AWS Multi-Factor Authentication is displayed.  This is where you should de-activate your current virtual device.
  4. Log out and log back into your AWS Management Console to verify that the MFA has been successfully removed. (Important Step)
  5. You are now ready to active your new virtual MFA device.


It is important to follow these steps prior to sanitizing your old device.  If you fail to deactivate your old device you will need to contact AWS Support for a manual removal of your MFA device.  This can be timely and at times, the appropriate security authorization is hard to deliver.