I Lost my MFA Credentials for my AWS Root Account!

Today I found myself in a bit of a situation, I needed to log into my AWS account as the Root account to enable AWS IAM Identity Center, a simple enough operation, or so I thought! 

I navigated to the AWS Management Console login page that is required for root users.

I entered my email address as required and clicked ‘Next’.  I was then presented with the usual captcha security checks, where I am asked to enter the characters shown on the screen, or alternatively listen to an audio version where I have to enter 6 numbers in the audio clip given. 

Next, I was asked to enter my password for the root account, which I did and clicked ‘Sign In’.

So far, so good as I sat there thinking this would only take a few more seconds and I’ll have IAM Identity Center enabled on my Management account of my AWS Organization and I’ll be good to go! 

The final verification step required me to enter my Multi-Factor Authentication (MFA) details.  As security best practice dictates, you should have MFA enabled on your AWS account, especially your Root account due to the elevated security privileges the user has.   

Personally I use the Google Authenticator application on my phone to manage all my MFA credentials, but to my surprise and shock, I didn’t have an entry within my application for the root user for my AWS account! 

To begin with I was sure I was doing something wrong, I checked again, triple checked, until I came to the conclusion that I had either deleted it by accident from the app, or simply forgot to add it on there when I replaced my phone some months ago (more likely the culprit).  

So now I was in a situation where I didn’t have the MFA credentials for my AWS root account.  I had not been in this situation before and was a little stuck as to what to do.  After a quick bit of research there is a process to allow you to gain access to your account as the root user without requiring the preconfigured MFA device that the account is associated with.  Instead, additional verification checks can be made through both email and an automated phone call by AWS! 

Using an alternate verification factor

To resolve this issue, firstly, select ‘Troubleshoot MFA’ and this will direct you to a page which will give you 2 options:

1. Re-sync with AWS servers
2. Sign in using alternative factors of authentication

As I didn’t have any record of the MFA account on my application, I had to select the ‘Sign in using alternative factors’.

From here you are presented with a 3-step sign in process.  Step 1 is to verify your details through email.  Confirm that the email address is correct, and then click ‘Send verification email’.  At this point an email will be sent to the email address which will look like the following:

You must verify your email address by clicking on the link within the email, and this will take you to step 2 of the verification process which uses your registered telephone number on the AWS account.

By selecting ‘Call me now’, you will receive an automated phone call from AWS asking you for a 6 digit verification number that will appear once you are connected on the telephone.  

HOWEVER, I got the following error as soon as I clicked on the ‘Call me now’ button! “Phone verification could not be completed”.

Again, another stumbling block! This was however easily rectified.  I logged into my AWS account as an administrator and checked my ‘Contact Information’ under my account settings, in particular where my phone number was entered.  I realized that I hadn’t added my country code and + sign to the beginning of the contact number.  

I edited these contact details, and tried again and this time it was successful.  So that issue was completely my fault as I hadn’t added the details correctly on my account when I set it up about 7 years ago!

From here, I simply clicked on ‘Sign in to the console’ and I was authenticated and able to sign in to my AWS account as the root user.  

To get around this problem from happening again, I removed the associated MFA credentials from the root account from within IAM and reconfigured it again using the Google authenticator application on my phone.  

So, if you ever find yourself in a situation where you do not have access to the MFA device or credentials for your root user account, then don’t fear, you can simply authenticate using other factors which include your email address and your registered contact number (just remember to have the + country code added as a prefix).