As per security best practices recommendations, it would be best to turn on multi-factor authentication for console logins for all the IAM users. However, there are some operational overheads when IAM users upgrade their virtual MFA devices (iPhone, Android etc). The recommended option is for root user to follow the below steps:-
****************
****************
Though not recommended, there is a way to share the token across old and new devices. In iPhone for example, we can backup the entire contents of the old iPhone to iTunes or iCloud and then perform a restore from backup on the new phone. This will also save the MFA tokens for apps like Google authenticator (till the date that backup was made).
****************
- Deactivate MFA from the user(s) account. If the user did not deactivate MFA prior to getting a new phone the root AWS account can do this: http://docs.aws.amazon.com/IAM/latest/UserGuide/DeactivateMFA.html
- Remove the previous MFA token from the virtual MFA application.
- Re-activate MFA on a user(s) account: http://docs.aws.amazon.com/IAM/latest/UserGuide/GenerateMFAConfigAccount.html
****************
Though not recommended, there is a way to share the token across old and new devices. In iPhone for example, we can backup the entire contents of the old iPhone to iTunes or iCloud and then perform a restore from backup on the new phone. This will also save the MFA tokens for apps like Google authenticator (till the date that backup was made).