Using Token2 FIDO2 Security keys with AWS MFA

Amazon recommends enabling MFA to increase the security of your AWS environments. Signing in to MFA-protected accounts requires a user name, password,
and an additional MFA method. Currently, AWS supports 3 MFA methods: a virtual MFA device (mobile app like Google Authenticator),Security key and pre-enrolled keys. See our instructions here to learn how to use Token2 programmable TOTP tokens to protect your AWS account(as drop-in replacements for virtual MFA device).
In this guide, we will show how to use Token2 Security keys as an additional method for two-factor authentication with AWS MFA.


• An AWS account
• Admin access to enable security keys (not required if security keys are already enabled)
• Modern browser supporting security keys
• A Token2 FIDO security key

Enable the security key in your AWS account

• Log in to your AWS account console and select "Security Credentials" under your username (top menu on the right).

• Open the MFA section on the "Your Security Credentials" page, then click "Activate MFA," select "Security key" as your MFA type, insert the security key, and click "Continue".

• AWS will start to identify the inserted security key. If you have set up a PIN code on it you will be prompted to type it.

• After click 'Allow' to allow AWS to interact with your security key.

At this step, you will be prompted to press the button on security key to complete registration.
Note: Security keys differ in the exact instructions to activate them. Your key may require a tap or button press to activate registration.

• Now the account is ready to use this verification method. When AWS prompts you for your security key, insert it and touch the button to successfully login.