Amazon will require MFA for AWS root users starting next year.

AWS announces that starting in mid-2024, the security of root user accounts within AWS will be mandatory through multifactor authentication (MFA). Initially, this requirement applies solely to root users of ‘AWS Organizations management accounts.’ However, AWS plans to expand the following year.

Users who must enable MFA will be notified through various means, including a prompt when logging into the administrative console. Although this requirement won’t take effect until next year, AWS encourages organizations to equip both their root MFA to other scenarios and users and other accounts with MFA methods resistant to phishing.

AWS remains committed to its customers’ security and offers support to activate and manage MFA. Customers can get started, fortifying their AWS accounts with this additional security layer. For more information and detailed instructions, please refer to the YubiKey page on our website. MFA is a robust and effective way to enhance the security of your AWS resources, and we are ready to assist you on your journey toward a safer AWS environment.