Enabling two factor authentication is one of the best ways to keep your AWS and other accounts secure. There are a lots of ways to do this and one of the popular tools for this is Google Authenticator, which shows a 6 number rolling code that changes over time. Behind the scenes this code is generated from a shared secret between your phone and the service you are logging into, hashed with the current time.

The root account of an AWS account isn’t like a normal account. It is rarely used after inital setup, needs to be kept secure but accessible in a crisis for a team of people. This makes MFA configuration more complex especially as team members come and go.

An MFA workflow a former team used successfully is:

  • Generate and print the MFA QR code
  • Scan and activate the QR code using a cheap android mobile phone
  • Securely store the mobile phone, maybe turned off to save power
  • Security store the MFA QR code printed out in an envelope separately from the android phone

You could also use a shared Yubikey to store the MFA code rather than a mobile phone by using Yubico Authenticator .

This solves in a fairly secure way the following:

  • Continuing access to an AWS root account when personal change
  • Quick access to the root account if needed
  • Retain access to MFA when technology fails
  • Separation of password and MFA tokens