Lensix
Back to blog
AWSBest PracticesCloud SecurityIdentity & AccessOperations & Compliance

Root Account Uses Virtual MFA: Why Hardware MFA Matters on AWS

Learn why your AWS root user needs a hardware MFA device instead of a virtual TOTP app, the attack scenarios it blocks, and step-by-step remediation.

TL;DR

This check flags an AWS root account secured with a virtual (software) MFA app instead of a hardware token. Virtual MFA lives on a phone that can be lost, cloned, or phished, so for your most privileged account, register a hardware MFA device (FIDO security key or hardware OTP token) and remove the virtual one.

The root user is the single most dangerous identity in any AWS account. It can close the account, change the billing email, delete the organization, and bypass nearly every IAM guardrail you put in place. Most teams know to enable MFA on root. Fewer stop to ask which kind of MFA they enabled. This check answers that question and pushes you toward the stronger option.

What this check detects

Lensix inspects the MFA device registered to your AWS account root user and reports whether it is a virtual MFA device rather than a hardware one. The check (account_roothardwaremfa) passes only when root is protected by a hardware MFA device, either a FIDO2 security key or a hardware OTP token.

There are three states the root account can be in:

  • No MFA at all — the worst case, a separate and more severe finding.
  • Virtual MFA — a TOTP app like Google Authenticator, Authy, or 1Password generating codes. This is what this check flags.
  • Hardware MFA — a physical YubiKey, a Titan key, or a hardware OTP fob. This is the passing state.

Note: AWS supports up to eight MFA devices per root user, mixing virtual and hardware types. This check looks for the presence of at least one hardware device. If root only has virtual devices registered, it fails.

Why it matters

Virtual MFA is far better than no MFA, but it shares a weakness with the device it runs on. A TOTP secret is just a seed value. When you scan that QR code during setup, the seed is stored in the app on your phone. Anything that can read or copy that seed can generate valid codes forever.

Here are the realistic ways virtual MFA on root goes wrong:

  • Phishing. An attacker sends a convincing AWS login page, the victim types their root password and the current TOTP code, and the attacker replays both within the 30-second window. Hardware FIDO2 keys are bound to the origin domain and simply refuse to authenticate against a fake site, which kills this attack outright.
  • Phone compromise. Malware, a malicious app, or a cloud backup of your authenticator can leak the TOTP seed. With root, that is the keys to the entire account.
  • SIM swapping and account recovery abuse. If the virtual MFA app is tied to a phone number or a recoverable cloud account, an attacker who hijacks that can reconstruct the codes.
  • Shared or lost devices. Root MFA on someone's personal phone walks out the door when that person leaves, or sits unlocked on a desk.

The blast radius is what makes this specific to root. A compromised IAM user can be contained with permission boundaries, SCPs, and revoked sessions. A compromised root user can override all of that, including reading every secret and detaching every guardrail. For the one identity that can undo your entire security posture, the gap between virtual and hardware MFA is worth closing.

Warning: Compliance frameworks increasingly distinguish between MFA types for privileged accounts. CIS AWS Foundations Benchmark recommends hardware MFA for the root user specifically. If you are pursuing SOC 2, PCI DSS, or FedRAMP, a virtual MFA on root may show up as an audit gap.

How to fix it

You cannot register a hardware MFA device for root through the CLI or API. AWS requires you to do this from the console while signed in as the root user. Here is the full process.

Step 1: Get a hardware MFA device

Pick one of the supported types:

  • FIDO2 security key (recommended) — YubiKey 5 series, Google Titan, or any FIDO2/WebAuthn key. Phishing-resistant.
  • Hardware TOTP token — a fob that displays rotating codes, such as those sold for AWS. Better than virtual but not phishing-resistant.

Buy at least two so you have a backup. AWS lets you register multiple devices to root, which avoids a lockout if one is lost.

Step 2: Sign in as root

  1. Go to the AWS Management Console and choose Sign in using root user email.
  2. Enter the root email address and password.
  3. Complete the existing virtual MFA challenge.

Step 3: Register the hardware device

  1. Open the account menu (top right) and choose Security credentials.
  2. Under Multi-factor authentication (MFA), choose Assign MFA device.
  3. Give it a clear name, for example root-yubikey-primary.
  4. Choose Security Key for FIDO2, or Hardware TOTP token for a fob.
  5. Follow the prompts. For a FIDO2 key, you will tap the key when prompted. For a TOTP token, you enter the serial number and two consecutive codes.

Step 4: Register a backup hardware device

Repeat step 3 with your second key. Name it something like root-yubikey-backup and store it somewhere physically secure and separate from the primary.

Step 5: Remove the virtual MFA device

Danger: Do not remove the virtual MFA device until you have confirmed at least one hardware device works by signing out and back in with it. Removing your only working MFA can lock you out of the root account, and recovery requires a slow AWS support process involving identity verification.

  1. Back on the Security credentials page, find the virtual MFA device in the list.
  2. Select it and choose Remove.
  3. Confirm. Delete the entry from your authenticator app as well so no stale seed remains.

Verify with the CLI

While you cannot register a device this way, you can confirm what is currently assigned to root using the account-level credential report:

# Generate and download the IAM credential report
aws iam generate-credential-report
aws iam get-credential-report \
  --query 'Content' --output text | base64 --decode > credential-report.csv

# The  row shows mfa_active=true once any MFA is set
grep '<root_account>' credential-report.csv

Note: The credential report tells you whether root MFA is active but does not distinguish virtual from hardware. To audit the device type at scale across accounts, use the ListMFADevices data surfaced through tools like Lensix, which evaluate the device type for you.

How to prevent it from happening again

Root MFA is a one-time manual setup, so prevention is less about CI/CD gates and more about continuous detection plus organizational policy. The root user has no Terraform resource and no API to provision MFA, so you cannot enforce it as code at creation time.

Continuous monitoring

Run a recurring check across every account in your organization. New accounts created through AWS Organizations get a root user automatically, and that root often starts with no MFA at all. A scheduled scan catches both the missing-MFA and virtual-MFA cases.

# Example: list accounts in the org so you can track root MFA status per account
aws organizations list-accounts \
  --query 'Accounts[].{Id:Id,Name:Name,Email:Email}' \
  --output table

Detect virtual MFA registration with CloudTrail

Alert whenever a virtual MFA device is enabled on root, so you can follow up and swap it for hardware. Create an EventBridge rule on the relevant CloudTrail events:

{
  "source": ["aws.iam"],
  "detail-type": ["AWS API Call via CloudTrail"],
  "detail": {
    "eventSource": ["iam.amazonaws.com"],
    "eventName": ["EnableMFADevice", "CreateVirtualMFADevice"],
    "userIdentity": {
      "type": ["Root"]
    }
  }
}

Route matches to an SNS topic or your incident channel. Any root MFA activity is rare and worth a human glance.

Tip: Pair the EventBridge rule with a Lensix policy that re-scans root MFA type on a schedule. The CloudTrail event tells you the moment something changed, and the scheduled scan confirms the account drifted back to compliance after you remediate.

Policy-as-code for the surrounding controls

You cannot manage root MFA in Terraform, but you can codify the things that reduce reliance on root entirely. Enforce an account baseline and a deny-root SCP through IaC:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "DenyRootUserActions",
      "Effect": "Deny",
      "Action": "*",
      "Resource": "*",
      "Condition": {
        "StringLike": {
          "aws:PrincipalArn": "arn:aws:iam::*:root"
        }
      }
    }
  ]
}

Attach this SCP to member accounts in your organization to block the root user from performing day-to-day actions. The root login still exists for the rare tasks that require it, but routine work is forced through properly governed IAM roles.

Warning: Do not attach a blanket deny-root SCP to the management account itself, and never to an account where you have not first verified hardware MFA and recovery access work. A few tasks genuinely require root, and an overly broad SCP combined with a lockout can leave you stuck.

Best practices for the root account

Hardware MFA is one layer. Treat the root user as a break-glass identity and lock down everything around it.

  • Register two hardware MFA devices. One primary for daily access, one backup stored offline in a safe or a separate secure location.
  • Use a FIDO2 key over a TOTP fob. Phishing resistance is the single biggest practical upgrade for the root user.
  • Delete root access keys. Root should never have programmatic access keys. If any exist, remove them.
  • Store the root password in a vault. Use a long, unique, randomly generated password held in a team password manager with tight access control, not in someone's personal notes.
  • Restrict root to break-glass tasks. Only a handful of operations require root: changing the account email, closing the account, certain billing and support changes, and restoring an account from a deny-everything policy. Everything else goes through IAM roles.
  • Log and alert on every root sign-in. Create a CloudWatch alarm or EventBridge rule for ConsoleLogin events where userIdentity.type is Root. A root login should always trigger a notification.
  • Apply this to every account. The management account gets the most attention, but each member account has its own root user with the same risk profile. Audit them all.

Think of root MFA as a seatbelt for the one driver who can steer the whole organization off a cliff. Virtual MFA is wearing it loosely. Hardware MFA is buckling it properly and bolting the seat to the floor.

Swapping virtual MFA for a hardware key on root takes about ten minutes and a twenty-dollar security key. Given that this account can undo every other control you have built, it is one of the highest-leverage security improvements available, and this check exists to make sure you do not skip it.