Your organization is rolling out MFA enforcement in AWS IAM Identity Center. Users are trying to register their devices, but something’s not working. The QR code won’t scan in their authenticator app. Or the verification code they enter is always rejected. Or they registered once, tried to re-register, and now they’re locked out. In this post, I’ll walk you through the most common MFA registration issues and how to fix them.

The Problem

Users can’t complete MFA registration in IAM Identity Center. The TOTP QR code scan doesn’t work, or the verification code is always rejected during setup. Some users report that they registered MFA once but now can’t log in at all.

Common error messages during MFA registration:

Error Meaning
“Verification code is incorrect” Clock skew or wrong TOTP app
“Unable to scan QR code” Camera permissions denied or QR code display issue
“MFA device is already registered” Device entry partially created; needs admin reset
“This field is required” Browser auto-fill pasted stale OTP code
“YubiKey not detected” Hardware MFA driver missing on Windows

Why Does This Happen?

  • Clock skew on the user’s device: TOTP (Time-based One-Time Password) is time-sensitive. If the user’s phone or computer clock is off by more than 30 seconds, the generated code won’t match what AWS expects.

  • Wrong authenticator app selected: User scanned the QR code into the wrong authenticator app (e.g., a different account in Microsoft Authenticator) or registered the same account twice under different app entries.

  • MFA device partially registered: The user started MFA registration, scanned the QR code, but then closed the browser before completing verification. The MFA device is now partially registered and blocks re-registration.

  • Browser auto-fill interference: Some password managers auto-fill OTP codes. If they fill an old or incorrect code, verification fails immediately.

  • MFA enforcement policy but no self-registration: Admin requires MFA but hasn’t enabled self-registration. Users can’t register their own devices.

  • Hardware MFA driver missing: For YubiKey or other hardware MFA, Windows needs the correct driver installed.

The Fix

Step 1: Sync Device Clock

Clock skew is the most common cause. Have the user sync their device:

iPhone/iPad: Settings > General > Date & Time > toggle “Set Automatically” off and on

Android: Settings > System > Date & time > toggle “Set automatically” on

Windows: Settings > Time & language > Date & time > Sync now

Mac: System Preferences > Date & Time > uncheck and recheck “Set date and time automatically”

Step 2: Clear Browser Auto-fill

Have the user disable auto-fill for the MFA code:

  1. In Chrome: Settings > Autofill > Passwords > toggle off
  2. In Firefox: Preferences > Privacy > Forms & Passwords > toggle off “Autofill logins and passwords”
  3. Clear cached OTP codes: DevTools > Application > Local Storage > Clear

Step 3: Admin Reset of Partially Registered MFA

If the user has a partially registered MFA device blocking them, an admin must reset it:

aws sso-admin list-mfa-devices-for-user \
  --instance-arn arn:aws:sso:::instance/ssoins-7223a5d90eexample \
  --user-id d-xxxxxxxxxxxxxxxx/00000000-0000-0000-0000-000000000000 \
  --region us-east-1

This returns all MFA devices (registered and pending) for the user. Delete the problematic device:

aws sso-admin delete-mfa-device-for-user \
  --instance-arn arn:aws:sso:::instance/ssoins-7223a5d90eexample \
  --user-id d-xxxxxxxxxxxxxxxx/00000000-0000-0000-0000-000000000000 \
  --device-id xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx \
  --region us-east-1

After deletion, the user can register their MFA device again on next login.

Step 4: Enable Self-Service MFA Registration

Navigate to IAM Identity Center > Settings > Multi-factor authentication.

Check: “Users can manage their own MFA devices”

This allows users to register and re-register devices without admin intervention.

How to Run This

  1. Have user sync their device clock
  2. Have user disable browser auto-fill
  3. Have user retry MFA registration
  4. If still blocked, get the user ID from IAM Identity Center > Users
  5. Run list-mfa-devices-for-user to find the device ID
  6. Run delete-mfa-device-for-user to clear it
  7. Enable self-service MFA in Settings so users can manage their own devices going forward
  8. Have user register MFA again on next login

Is This Safe?

Yes. Resetting MFA devices via CLI is a standard administrative operation. Deleting a device doesn’t compromise security—it only removes the registration so the user can register a new device. Always require the user to re-authenticate and re-register after an admin reset.

Key Takeaway

MFA registration failures are usually due to clock skew or browser auto-fill issues. Admins should enable self-service MFA management to reduce support tickets. For users with partially registered devices, the CLI delete command is faster than manually digging through the console.

Have questions or ran into a different SSO issue? Connect with me on LinkedIn or X.