My guess is that their thinking is that you should use your root account to make an admin user via IAM, and the admin user should use IAM to make users for your people who will actually manage your services. Their advice [0]:
> We strongly recommend that you do not use the root user for your everyday tasks, even the administrative ones. Instead, adhere to the best practice of using the root user only to create your first IAM user. Then securely lock away the root user credentials and use them to perform only a few account and service management tasks.
Here are those things that you need to use root for [1].
If you use U2F on your regular users and someone loses their key, they can ask the admin to temporarily disable 2FA on their user account, or switch them to TOTP, until they can get a new U2F key set up.
If you use U2F on your admin user and lose the key and there is only one admin account, I would guess that it is similar to the user account case, except you need to have the root account deal with it.
That only leaves the question of how to deal with the root account. If you enabled U2F and lose your key, Amazon provides a way in using email or phone instead [2].
With andotp I can export/backup the keys and use them on other devices. Also, you could scan the qr code (private key) with devices or print it out and keep it safe.
> We strongly recommend that you do not use the root user for your everyday tasks, even the administrative ones. Instead, adhere to the best practice of using the root user only to create your first IAM user. Then securely lock away the root user credentials and use them to perform only a few account and service management tasks.
Here are those things that you need to use root for [1].
If you use U2F on your regular users and someone loses their key, they can ask the admin to temporarily disable 2FA on their user account, or switch them to TOTP, until they can get a new U2F key set up.
If you use U2F on your admin user and lose the key and there is only one admin account, I would guess that it is similar to the user account case, except you need to have the root account deal with it.
That only leaves the question of how to deal with the root account. If you enabled U2F and lose your key, Amazon provides a way in using email or phone instead [2].
[1] https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-use...
[1] https://docs.aws.amazon.com/general/latest/gr/aws_tasks-that...
[2] https://aws.amazon.com/blogs/security/reset-your-aws-root-ac...