Root
Of these options we found using IAM Roles to be the most secure, but logging into the AWS Console using IAM Roles is quite a hassle, therefore Locksmith – a Chrome Extension for AWS Console login using Cross-Account IAM Roles – was created.
We use a single IAM user per person. This user has a single MFA, and you can easily remove the IAM user to revoke a person’s access to all accounts.
…doesn’t the AWS Console support this already?
Yes indeed, we developed Locksmith before AWS announced this feature. Even so, we still might have developed Locksmith since it has the following advantages over the tool built into the AWS Console: