Planning for the loss of an MFA device

Tags: ACG

One of the problems with good security is that it is easy to actually lock yourself out. We have had a number of students ask about what happens if you lose your phone, or forget a password.

Plan ahead

It is very easy to think that this is just a lab environment and I can be a bit sloppy. However this is the time to practice being the professional that you want be, and want to be able to show off at an interview. As a professional you need to think ahead about what could go wrong and have a plan to address it.

  1. Always have a 2nd Admin account.
    • This account should be on a different MFA device, —or—
    • You might only assign it an API key set which you test once, keep in a safe and never use.
  2. Practice using the CLI to create accounts and reset the MFA (external site, opens in new tab) so that you can easily move to a new device if needed. Even without a separate Admin account you can use your key set to reset your MFA.
  3. Keep a copy of the setup QR code somewhere secure. With this you can set up a new device.
  4. Ensure that you keep records of your sign-up and payments so that if you need to ask AWS for assistance that you have the necessary supporting documentation to prove that you are the bonafide account owner.

Newer information

Since this article was first written AWS have come up with new methods and advice. This will still work, but please also read the following:

back to top

If you need help, please contact Pluralsight Support.