DenyAllExceptListedIfNoMFA

https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_aws_my-sec-creds-self-manage.html

This example policy does not allow users to reset a password while signing in for the first time. AWS recommends that you do not grant permissions to new users until after they sign in. For more information, see How do I securely create IAM users?. This also prevents users with an expired password from resetting their password before signing in. You can allow this by adding iam:ChangePassword and iam:GetAccountPasswordPolicy to the statement DenyAllExceptListedIfNoMFA. However, IAM does not recommend this. Allowing users to change their password without MFA can be a security risk.

See also

• MFA: FreeOTP, Google Authenticator, Okta Verify, Duo Security, Microsoft Authenticator, Strong customer authentication, Dualshield, HOTP, TOTP, OATH, Authy, Push authentication, google-authenticator, Duo Mobile, DenyAllExceptListedIfNoMFA, Configure MFA on AWS, LastPass Authenticator mobile app