How to Deactivate a Lost MFA Device for an AWS IAM User

Multi-Factor Authentication (MFA) is a key security measure for validating the identity of AWS users by adding another layer of security on top of username and password. 

But what happens if a user loses their MFA device? This safeguard becomes a liability and it’s important that lost devices are deactivated promptly. Deactivating the device will protect your AWS account in the case that the lost device was actually stolen.

In this guide, we’ll walk through the steps your AWS Administrator should take to deactivate a lost device.

Blink Automation: Deactivate an MFA Device with AWS User Name Input

Blink + AWS

Try this Workflow

Deactivating Lost MFA Devices for AWS Users

When an AWS user loses their device, they should notify an AWS administrator directly or submit a support ticket. Then the admin can deactivate the device either in the console or by using the AWS CLI.

Using the AWS Console:

1. Sign in to the AWS Management Console.
2. Open the IAM console.
3. Within the navigation pane, locate and select Users.
4. Find the name of the user or users who have lost MFA devices.
5. Click on the Security Credentials tab.
6. Next to Assigned MFA device, click on Manage.
7. The Manage MFA Device wizard should appear. From here, you must choose Remove to confirm the action.
8. Now the device is removed from AWS.

Remember that removed MFA devices cannot be used to sign in or authenticate requests until they are reactivated and associated with an AWS user or AWS account root user.

Using the AWS CLI:

You can also deactivate their MFA devices through AWS CLI. This will also allow them to sign in without the second-factor notification. 

1. First, you can run this list-mfa-devices command to get the serial number of the user’s device:

aws iam list-mfa-devices
--user-name <value>

Now, you have the serial number you need for the next step.

2. Next, you can run this deactivate-mfa-device to remove the device:

aws iam deactivate-mfa-device
--user-name <value>
--serial-number <value>

This command deactivates the specified MFA device and removes it from association with the username that had it enabled. You can specify the lost MFA device using the name of the AWS IAM user and the serial number of their device. The serial number of virtual MFA devices is its ARN (Amazon Resource Names).

For Example, for IAM user named "MattSmith" with an MFA device's ARN recorded as "123456789," you would input the name and ARN number:

aws iam deactivate-mfa-device --user-name MattSmith 
--serial-number arn:aws:iam::123456789:mfa/MattSmithsMFADevice

Once the device is deactivated, the user will not have MFA active until they enable it on a new device. They should be prompted to do this as soon as possible to maintain strong login security.

Automating MFA Enforcements with Blink

When an MFA device is lost, the device owner might submit a ticket and you can take these steps manually, but it forces you to context-switch and look up the steps and playbook for handling lost devices.

With an automation platform like Blink, you can build an automation with drag-and-drop steps to deactivate lost MFA devices and share it with coworkers as a self-service application. Device owners can just enter the information about their device as input parameters, and then your automation can handle the rest. No tickets and no delay.

Get started with Blink and automate your device deactivation process today.