Required IAM Policy
Only the user can enable multifactor authentication (MFA) for their own account. Users can also disable MFA for their own accounts. Members of the Administrators group can disable MFA for other users, but they cannot enable MFA for another user.
In general, MFA may include any two of the following:
- Something that you know, like a password.
- Something that you have, like a device.
- Something that you are, like your fingerprint.
The IAM service supports two-factor authentication using a password (first factor) and a device that can generate a time-based one-time password (TOTP) (second factor).