You can use free virtual tokens such as Authy, Duo Mobile, LastPass Authenticator, Google Authenticator, or Microsoft Authenticator.
For security reasons it’s advisable to use multi-factor authentication for all users, starting with root and privileged users but ideally for all of them.
For security reasons it’s advisable to use multi-factor authentication on every user authentication. If this affects user experience, and it’s not accepted in your organization, context-aware authentication (or Adaptive authentication) is a good trade off, as it will prompt for MFA only when the device changed, or it comes from a different country, or there is any anomalous behavior (supported by AWS SSO and Amazon Cognito ).
AWS does not charge any additional fees for using AWS MFA with your AWS account.
If you want to use a physical MFA device, you’ll need to purchase one from third-party vendors that is compatible with AWS MFA, either from Gemalto or Yubico. For additional details, visit Yubico or Gemalto’s website.