Using TOTP hardware tokens with AWS MFA


Our programmable TOTP tokens can be used for AWS Virtual MFA as an alternative to smartphone applications. These tokens are physical devices capable of generating the time-based one-time passwords required for MFA authentication. Please note that this method is different from the hardware token method described in the AWS documentation (which only allows one certain model of hardware tokens, third-party devices, such as the ones from Token2, are not yet supported). Token2 devices can be provisioned as Virtual MFA Method replacement only.

Amazon recommends enabling  MFA to increase the security of your AWS environments. Signing in to MFA-protected accounts requires a user name, password, and an authentication code from an MFA device. Currently, AWS supports 3 MFA methods: a virtual MFA device (mobile app like Google Authenticator), U2F keys and pre-enrolled Gemalto keys. As Token2 programmable tokens are acting as drop-in replacements of virtual MFA device, you can use them with AWS MFA as well. The guide below will show how to enroll a Token2 hardware token with your AWS account.


Requirements: 

  • An AWS account
  • A Token2 programmable token (only the second generation tokens are compatible with AWS accounts)
  • An Android device with NFC*  - this is needed for the enrollment only, subsequent logins will only require the hardware token
  • TOKEN2 NFC Burner app* - make sure you have the latest version (at least 2.1). Previous versions of the app do not support longer seeds generated by AWS account 2FA system 

[* Windows and iPhone versions are also available, but this guide will use Android as an example]


Activate MFA on your AWS account:

  • Log in to your AWS account console and select "My Security Credentials" under your username (top menu on the right)
    Using TOTP hardware tokens with AWS MFA

  • On the "Your Security Credentials" page, open MFA section, then click on "Activate MFA", select "Virtual MFA device" as your MFA type and click "Continue"

    Using TOTP hardware tokens with AWS MFA

  • On the next window click on "Show QR Code"

    Using TOTP hardware tokens with AWS MFA

  • Launch the NFC burner app on your Android device and hit the "QR" button



  • Point the camera to the QR code shown on the account page. Upon a successful QR scan, the camera window should disappear
  • Turn on the token and touch it with your phone (make sure it is overlapped by the NFC antenna) and click "Connect" on the app
  • Upon successful connection, click the "Burn seed" button. If NFC link is established and the code is correctly scanned, you should see a status window showing "Burning..." and eventually (in a second or two), "burn seed successful.." message in the log window



  • After completing the burning process, turn the token display off and turn it on again
  • Enter the code generated by the token in the MFA Code1 field, then turn the token off. Wait for 30 seconds, turn the token on again, and enter the next generated code in MFA Code 2 field (make sure they are different if they are the same you did not wait long enough), and click on  "Assign MFA"  button 



  • The enrollment is now complete