You can use free virtual tokens such as Authy, Duo Mobile, LastPass Authenticator, Google Authenticator, or Microsoft Authenticator.
For security reasons it’s advisable to use multi-factor authentication for all users, starting with root and privileged users but ideally for all of them.
For security reasons it’s advisable to use multi-factor authentication on every user authentication. If this affects user experience, and it’s not accepted in your organization, context-aware authentication (or Adaptive authentication) is a good trade off, as it will prompt for MFA only when the device changed, or it comes from a different country, or there is any anomalous behavior (supported by AWS IAM Identity Center (successor to AWS Single Sign-On) and Amazon Cognito ).
There’s no additional charge for enabling MFA in AWS users. Also there’s no additional cost for using MFA on Cognito.
If you want to use a physical MFA device, you’ll need to purchase one from third-party vendors that is compatible with AWS MFA, either from Gemalto or Yubico. For additional details, visit Yubico or Gemalto’s website.