How to Deactivate a Lost MFA Device for an AWS IAM User
If one of your AWS users loses their multi-factor authentication device, it's important to deactivate it right away. In this guide, we'll show you how to identify and remove lost MFA devices.
If one of your AWS users loses their multi-factor authentication device, it's important to deactivate it right away. In this guide, we'll show you how to identify and remove lost MFA devices.
Multi-Factor Authentication (MFA) is a key security measure for validating the identity of AWS users by adding another layer of security on top of username and password.
But what happens if a user loses their MFA device? This safeguard becomes a liability and it’s important that lost devices are deactivated promptly. Deactivating the device will protect your AWS account in the case that the lost device was actually stolen.
In this guide, we’ll walk through the steps your AWS Administrator should take to deactivate a lost device.
When an AWS user loses their device, they should notify an AWS administrator directly or submit a support ticket. Then the admin can deactivate the device either in the console or by using the AWS CLI.
Remember that removed MFA devices cannot be used to sign in or authenticate requests until they are reactivated and associated with an AWS user or AWS account root user.
You can also deactivate their MFA devices through AWS CLI. This will also allow them to sign in without the second-factor notification.
Now, you have the serial number you need for the next step.
This command deactivates the specified MFA device and removes it from association with the username that had it enabled. You can specify the lost MFA device using the name of the AWS IAM user and the serial number of their device. The serial number of virtual MFA devices is its ARN (Amazon Resource Names).
For Example, for IAM user named "MattSmith" with an MFA device's ARN recorded as "123456789," you would input the name and ARN number:
Once the device is deactivated, the user will not have MFA active until they enable it on a new device. They should be prompted to do this as soon as possible to maintain strong login security.
When an MFA device is lost, the device owner might submit a ticket and you can take these steps manually, but it forces you to context-switch and look up the steps and playbook for handling lost devices.
With an automation platform like Blink, you can build an automation with drag-and-drop steps to deactivate lost MFA devices and share it with coworkers as a self-service application. Device owners can just enter the information about their device as input parameters, and then your automation can handle the rest. No tickets and no delay.
Get started with Blink and automate your device deactivation process today.
Blink is an automation copilot that enables you to create full ready-to-run workflows between tools – just type a prompt.