In this exercise we will use AWS Identity & Access Management (IAM) in the AWS Management Console to configure and enable a virtual multi factor authentication (MFA) device for the root. To manage MFA devices for the AWS account, you must be signed in to AWS using your root user credentials. You cannot manage MFA devices for the root user using other credentials.
Use your AWS account email address and password to sign in as the AWS account root user to the IAM console at https://console.aws.amazon.com/iam/
On the right side of the navigation bar, click your account name, and click My Security Credentials. If necessary, click Continue to Security Credentials. Then expand the Multi-Factor Authentication (MFA) section on the page.
\
Click Activate MFA.
In the wizard, click virtual MFA device and then click Continue.
If the virtual MFA software supports multiple accounts (multiple virtual MFA devices), then click the option to create a new account (a new virtual device).
The easiest way to configure the app is to use the app to scan the QR code. If you cannot scan the code, you can type the configuration information manually.
The device starts generating six-digit numbers.
In the Manage MFA Device wizard, in the MFA Code 1 box, type the six-digit number that’s currently displayed by the MFA device. Wait up to 30 seconds for the device to generate a new number, and then type the new six-digit number into the Authentication Code 2 box.
Important: Submit your request immediately after generating the codes. If you generate the codes and then wait too long to submit the request, the MFA device successfully associates with the user but the MFA device is out of sync. This happens because time-based one-time passwords (TOTP) expire after a short period of time. If this happens, you can resync the device.
Click Assign MFA, and then click Finish. Note the 'success' confirmation and click Close.
For more information please read the AWS User Guide:
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa.html