Multi-Factor Authentication

You can use free virtual tokens such as Authy, Duo Mobile, LastPass Authenticator, Google Authenticator, or Microsoft Authenticator.

MFA for everyone

For security reasons it’s advisable to use multi-factor authentication for all users, starting with root and privileged users but ideally for all of them.

MFA everywhere

For security reasons it’s advisable to use multi-factor authentication on every user authentication. If this affects user experience, and it’s not accepted in your organization, context-aware authentication (or Adaptive authentication) is a good trade off, as it will prompt for MFA only when the device changed, or it comes from a different country, or there is any anomalous behavior (supported by AWS IAM Identity Center (succesor to AWS Single Sign-On) and Amazon Cognito ).

Well Architected Framework Recommendation Mapping

Pricing

AWS does not charge any additional fees for using AWS MFA with your AWS account.
If you want to use a physical MFA device, you’ll need to purchase one from third-party vendors that is compatible with AWS MFA, either from Gemalto or Yubico. For additional details, visit Yubico or Gemalto’s website.