AWS multifactor authentication (MFA) adds an extra layer of security for your AWS users. MFA verifies your identity through something you know (user ID and password) and something you have with you (hardware device or software token). In addition to the user name and password, the user will need to enter a one-time authentication code while logging into the AWS console. As a best practice always configure multifactor authentication for the root account and other highly privileged IAM users. MFA is also used to control access to a specific resource and to AWS service API calls.
Using conditions in the policy, you can specifically allow a user access to a set of services only if the user was authenticated using the MFA code. For example, you can specify a condition that a user is allowed to create or terminate EC2 instances in the production environment only if they are authenticated using MFA.
There are two types of MFA—virtual and hardware. The virtual...