Increase AWS Single Sign-On security with multi-factor authentication using authenticator apps

Administrators can enroll, remove, and view TOTP authenticators for each of their users within the AWS SSO administrator portal. Alternatively, administrators can enable users to self-enroll within the user portal to speed up the enrollment process and reduce user friction.

Administrators can also enable context-aware mode, allowing users to easily sign-in with their username and password for most logins, but are prompted for TOTP generated passcodes only when their sign-in context changes, such as an unknown device or location. For increased security or compliance requirements, you can choose always-on mode to prompt for TOTP generated passcodes at every sign-in.



https://aws.amazon.com/about-aws/whats-new/2019/10/increase-aws-single-sign-on-security-with-multi-factor-authentication-using-authenticator-apps/