Root user does not have Multi-Factor Authentication enabled on their cloud account


It is a security best practice is to always enable Multi-Factor Authentication (MFA) on any user that can perform sensitive operations in your account, especially the root user. There are multiple types of MFA available.

Multi-Factor Authentication (MFA) is a simple best practice that adds an extra layer of protection on top of your user name and password. With MFA enabled, when a user signs in, they will be prompted for their user name and password (the first factor—what they know), as well as for an authentication code from their MFA device (the second factor—what they have). Taken together, these multiple factors provide increased security for your account settings and resources. You can enable MFA for your account and for individual users you have created under your account. MFA can be also be used to control access to service APIs.

A virtual MFA device uses a software application to generate a six-digit authentication code that is compatible with the time-based one-time password (TOTP) standard, as described in RFC 6238. The app can run on mobile hardware devices, including smartphones. With most virtual MFA applications, you can host more than one virtual MFA device, which makes them more convenient than hardware MFA devices.

Suggested Action

Enable Multi-Factor Authentication for the root user.
Enabling a Virtual MFA
Enabling a Hardware MFA

Tags: iam