MFA adds an extra layer of protection on top of a user name and password. With MFA enabled, when a user signs in to an AWS website, they’re prompted for their user name and password and for an authentication code from their AWS MFA device.
When you use virtual MFA for the root user, CIS recommends that the device used is not a personal device. Instead, use a dedicated mobile device (tablet or phone) that you manage to keep charged and secured independent of any individual personal devices. This lessens the risks of losing access to the MFA due to device loss, device trade-in, or if the individual owning the device is no longer employed at the company.