This assumes you have already configured the aws command line tool. If not, check out my article on Getting Started with the AWS CLI.

IAM (Identity and Access Management) contains non-root users that have been permitted to perform certain actions. IAM can be setup with Multi-Factor Authentication (MFA). For example, a users mobile phone can be added so that the user must first authenticate with their username and password (something they know) and must next authenticate with an authentication code from their MFA device (something they have). The Microsoft Authenticator app is one such app that could be used to authenticate.

The aws iam list-virtual-mfa-devices command can be used to list the IAM multi-factor authentication devices that have been added.

aws iam list-virtual-mfa-devices

If no devices have been added, an empty list will be returned.

{
    "VirtualMFADevices": []
}

On the other hand, if a device has been assigned, something like this should be returned.

{
    "VirtualMFADevices": [
        {
            "SerialNumber": "arn:aws:iam::713441234252:mfa/JohnsCellPhone",
            "User": {
                "Path": "/",
                "UserName": "johndoe",
                "UserId": "AIDA1234L76GABCDB2123",
                "Arn": "arn:aws:iam::713441234252:user/jeremycanfield",
                "CreateDate": "2022-09-13T11:13:03+00:00"
            },
            "EnableDate": "2023-06-14T01:52:35+00:00"
        }
    ]
}

The aws iam delete-virtual-mfa-device command can be used to delete a device, using the serial number of the device.

aws iam delete-virtual-mfa-device --serial-number arn:aws:iam::713441234252:mfa/JohnsCellPhone