Adding MFA to a user pool - Amazon Cognito
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Adding MFA to a user pool

MFA adds a something you have authentication factor to the initial something you know factor that is typically a username and password. You can choose SMS text messages, email messages, or time-based one-time passwords (TOTP) as additional factors to sign in your users.

Multi-factor authentication (MFA) increases security for the local users in your application. In the case of federated users, Amazon Cognito delegates all authentication processes to the IdP and doesn't offer them additional authentication factors.

Note

The first time that a new user signs in to your app, Amazon Cognito issues OAuth 2.0 tokens, even if your user pool requires MFA. The second authentication factor when your user signs in for the first time is their confirmation of the verification message that Amazon Cognito sends to them. If your user pool requires MFA, Amazon Cognito prompts your user to register an additional sign-in factor to use during each sign-in attempt after the first.

With adaptive authentication, you can configure your user pool to require an additional authentication factor in response to an increased risk level. To add adaptive authentication to your user pool, see Advanced security with threat protection.

When you set MFA to required for a user pool, all users must complete MFA to sign in. To sign in, each user must set up at least one MFA factor. When MFA is required, you must include the MFA setup in user onboarding so that your user pool permits them to sign in.

Managed login prompts users to set up MFA when you set MFA to be required. When you set MFA to be optional in your user pool, managed login doesn't prompt users. To work with optional MFA, you must build an interface in your app that prompts your users to select that they want to set up MFA, then guides them through the API inputs to verify their additional sign-in factor.

Things to know about user pool MFA

Before you set up MFA, consider the following:

  • A user's preferred MFA method influences the methods they can use to recover their password. Users whose preferred MFA is by email message can't receive a password-reset code by email. Users whose preferred MFA is by SMS message can't receive a password-reset code by SMS.

    Your password recovery settings must provide an alternative option when users aren't eligible for your preferred password-reset method. For example, your recovery mechanisms might have email as first priority and email MFA might be an option in your user pool. In this case, add SMS-message account recovery as a second option or use administrative API operations to reset passwords for those users.

  • Users can't receive MFA and password reset codes at the same email address or phone number. If they use one-time passwords (OTPs) from email messages for MFA, they must use SMS messages for account recovery. If they use OTPs from SMS messages for MFA, they must use email messages for account recovery. In user pools with MFA, users might be unable to complete self-service password recovery if they have attributes for their email address but no phone number, or their phone number but no email address.

    To prevent the state where users can't reset their passwords in user pools with this configuration, set the email and phone_number attributes as required. As an alternative, you can set up processes that always collect and set those attributes when users sign up or when your administrators create user profiles. When users have both attributes, Amazon Cognito automatically sends password-reset codes to the destination that is not the user's MFA factor.

  • When you activate MFA in your user pool and choose SMS message or Email message as a second factor, you can send messages to a phone number or email attribute that you haven't verified in Amazon Cognito. After your user completes MFA, Amazon Cognito sets their phone_number_verified or email_verified attribute to true.

  • After five unsuccessful attempts to present an MFA code, Amazon Cognito begins the exponential-timeout lockout process described at Lockout behavior for failed sign-in attempts.

  • If your account is in the SMS sandbox in the Amazon Web Services Region that contains the Amazon Simple Notification Service (Amazon SNS) resources for your user pool, you must verify phone numbers in Amazon SNS before you can send an SMS message. For more information, see SMS message settings for Amazon Cognito user pools.

  • To change the MFA status of users in response to detected events with threat protection, activate MFA and set it as optional in the Amazon Cognito user pool console. For more information, see Advanced security with threat protection.

  • Email and SMS messages require that your users have email address and phone number attributes respectively. You can set email or phone_number as required attributes in your user pool. In this case, users can't complete sign-up unless they provide a phone number. If you don't set these attributes as required but want to do email or SMS message MFA, you prompt users for their email address or phone number when they sign up. As a best practice, configure your user pool to automatically message users to verify these attributes.

    Amazon Cognito counts a phone number or email address as verified if a user has successfully received a temporary code by SMS or email message and returned that code in a VerifyUserAttribute API request. As an alternative, your team can set phone numbers and mark them as verified with an administrative application that performs AdminUpdateUserAttributes API requests.

  • If you have set MFA to be required and you activated more than one authentication factor, Amazon Cognito prompts new users to select an MFA factor that they want to use. Users must have a phone number to set up SMS message MFA, and an email address to set up email message MFA. If a user doesn't have the attribute defined for any available message-based MFA, Amazon Cognito prompts them to set up TOTP MFA. The prompt to choose an MFA factor (SELECT_MFA_TYPE) and to set up a chosen factor (MFA_SETUP) comes in as a challenge response to InitiateAuth and AdminInitiateAuth API operations.

User MFA preferences

Users can set up multiple MFA factors. Only one can be active. You can choose the effective MFA preference for your users in user pool settings or from user prompts. A user pools prompts a user for MFA codes when user pool settings and their own user-level settings meet the following conditions:

  1. You set MFA to optional or required in your user pool.

  2. The user has a valid emailor phone_numberattribute, or has set up an authenticator app for TOTP.

  3. At least one MFA factor is active.

  4. One MFA factor is set as preferred.

User pool settings and their effect on MFA options

The configuration of your user pool influences the MFA methods that users can choose. The following are some user pool settings that influence users’ ability to set an MFA preference:

  • In the Multi-factor authentication configuration in the Sign-in menu of the Amazon Cognito console, you can set MFA to optional or required, or turn it off. The API equivalent of this setting is the MfaConfiguration parameter of CreateUserPool, UpdateUserPool, and SetUserPoolMfaConfig.

    Also in the Multi-factor authentication configuration, the MFA methods setting determines the MFA factors that users can set up. The API equivalent of this setting is the SetUserPoolMfaConfig operation.

    In the Sign-in menu, under User account recovery, you can configure the way that your user pool sends messages to users who forget their password. A user’s preferred MFA method can’t have the same delivery method as the highest-priority Recovery message delivery method in your user pool. The API equivalent of this configuration is the AccountRecoverySetting parameter of CreateUserPool and UpdateUserPool.

    For example, users can’t set email MFA as preferred when your recovery option is Email only or Email if available, otherwise SMS. Change the delivery method to SMS only or SMS if available, otherwise email.

  • If you set only one MFA method as available, you don’t need to manage user MFA preferences.

  • An active SMS configuration automatically makes SMS messages an available MFA method in your user pool.

    An active email configuration with your own Amazon SES resources in a user pool, and the Essentials or Plus feature plan, automatically makes email messages an available MFA method in your user pool.

  • When you set MFA to required in a user pool, users can’t enable or disable any MFA methods. You can only set a preferred method.

  • When you set MFA to optional in a user pool, managed login doesn’t prompt users to set up MFA, but it does prompt users for an MFA code when they have a preferred MFA method.

  • When you activate threat protection and configure adaptive-authentication responses in full-function mode, MFA must be optional in your user pool. One of the response options with adaptive authentication is to require MFA for a user whose sign-in attempt is evaluated to contain a level of risk.

    The Required attributes setting in the Sign-up menu of the console determines whether users must provide an email address or phone number to sign up in your application. Email and SMS messages become eligible MFA factors when a user has the corresponding attribute. The Schema parameter of CreateUserPool sets attributes as required.

  • When you set MFA to required in a user pool and a user signs in with managed login, Amazon Cognito prompts them to select an MFA method from the available methods for your user pool. Managed login handles the collection of an email address or phone number and the setup of TOTP.

The following table lists the detailed effects of user pool configuration on sign-in attempts immediately after initial sign-up.

Details MFA required TOTP enabled SMS enabled Email enabled Has email address Has phone number Outcome after sign-up (managed login) Challenge/Outcome after sign-up (SDK)
All enabled TRUE TRUE TRUE TRUE TRUE TRUE Select a factor SELECT_MFA_TYPE
TRUE TRUE TRUE TRUE FALSE FALSE Set up TOTP MFA_SETUP1
TRUE TRUE TRUE TRUE TRUE FALSE Select a factor SELECT_MFA_TYPE2
TRUE TRUE TRUE TRUE FALSE TRUE Select a factor SELECT_MFA_TYPE3
TOTP and email enabled TRUE TRUE FALSE TRUE TRUE TRUE Select a factor SELECT_MFA_TYPE
TRUE TRUE FALSE TRUE TRUE FALSE Select a factor SELECT_MFA_TYPE
TRUE TRUE FALSE TRUE FALSE TRUE Select a factor SELECT_MFA_TYPE
TRUE TRUE FALSE TRUE FALSE FALSE Set up TOTP MFA_SETUP
TOTP and SMS enabled TRUE TRUE TRUE FALSE TRUE TRUE Select a factor SELECT_MFA_TYPE
TRUE TRUE TRUE FALSE TRUE FALSE Select a factor SELECT_MFA_TYPE
TRUE TRUE TRUE FALSE FALSE TRUE Select a factor SELECT_MFA_TYPE
TRUE TRUE TRUE FALSE FALSE FALSE Set up TOTP MFA_SETUP
Only TOTP enabled TRUE TRUE FALSE FALSE TRUE TRUE Set up TOTP MFA_SETUP
TRUE TRUE FALSE FALSE TRUE FALSE Set up TOTP MFA_SETUP
TRUE TRUE FALSE FALSE FALSE TRUE Set up TOTP MFA_SETUP
TRUE TRUE FALSE FALSE FALSE FALSE Set up TOTP MFA_SETUP
Email and SMS enabled TRUE FALSE TRUE TRUE TRUE TRUE Email MFA is SMS used for recovery, SMS MFA if email is used for recovery, Select a factor if self-service recovery disabled SELECT_MFA_TYPE, EMAIL_OTP, or SMS_MFA
TRUE FALSE TRUE TRUE TRUE FALSE Email MFA EMAIL_OTP
TRUE FALSE TRUE TRUE FALSE TRUE SMS MFA SMS_MFA
TRUE FALSE TRUE TRUE FALSE FALSE Can't sign up InvalidUserPoolConfigurationException
Only email enabled TRUE FALSE FALSE TRUE TRUE TRUE Email MFA EMAIL_OTP
TRUE FALSE FALSE TRUE TRUE FALSE Email MFA EMAIL_OTP
TRUE FALSE FALSE TRUE FALSE TRUE Can't sign up InvalidUserPoolConfigurationException
TRUE FALSE FALSE TRUE FALSE FALSE Can't sign up InvalidUserPoolConfigurationException
Only SMS enabled TRUE FALSE TRUE FALSE TRUE TRUE SMS MFA SMS_MFA
TRUE FALSE TRUE FALSE TRUE FALSE Can't sign up InvalidUserPoolConfigurationException
TRUE FALSE TRUE FALSE FALSE TRUE SMS MFA SMS_MFA
TRUE FALSE TRUE FALSE FALSE FALSE Can't sign up InvalidUserPoolConfigurationException
MFA not required Optional Any Any Any Any Any Signed in. Application admin must take action to register TOTP or set MFA preference. AuthenticationResult or next challenge
Off Any Any Any Any Any Signed in. AuthenticationResult or next challenge

1 If you've already registered a TOTP for the user, issues a SOFTWARE_TOKEN_MFA challenge.

2 If you've already registered a TOTP for the user. If no TOTP is registered, issues an EMAIL_OTP challenge.

3 If you've already registered a TOTP for the user. If no TOTP is registered, issues an SMS_MFA challenge.

API operations for configuring MFA preferences

You can configure MFA preferences for users in a self-service model with access-token authorization, or in an administrator-managed model with administrative API operations. These operations enable or disable MFA methods and set one of multiple methods as the preferred option. After your user has set an MFA preference, Amazon Cognito prompts them at sign-in to provide a code from their preferred MFA method. Users who have not set a preference receive a prompt to choose a preferred method in a SELECT_MFA_TYPE challenge.

  • In a user self-service model or public application, SetUserMfaPreference, authorized with a signed-in user’s access token, sets MFA configuration.

  • In an administrator-managed or confidential application, AdminSetUserPreference, authorized with administrative Amazon credentials, sets MFA configuration.

You can also set user MFA preferences from the Users menu of the Amazon Cognito console. For more information about the public and confidential authentication models in the Amazon Cognito user pools API, see Understanding API, OIDC, and managed login pages authentication.

Configuring a user pool for multi-factor authentication

You can configure MFA in the Amazon Cognito console.

To configure MFA in the Amazon Cognito console
  1. Sign in to the Amazon Cognito console.

  2. Choose User Pools.

  3. Choose an existing user pool from the list, or create a user pool.

  4. Choose the Sign-in menu. Locate Multi-factor authentication and choose Edit.

  5. Choose the MFA enforcement method that you want to use with your user pool.

    A screenshot from the Amazon Cognito console with MFA options.
    1. Require MFA. All users in your user pool must sign in with an additional SMS, email, or time-based one-time password (TOTP) code as an additional authentication factor.

    2. Optional MFA. You can give your users the option to register an additional sign-in factor but still permit users who haven't configured MFA to sign in. If you use adaptive authentication, choose this option. For more information about adaptive authentication, see Advanced security with threat protection.

    3. No MFA. Your users can't register an additional sign-in factor.

  6. Choose the MFA methods that you support in your app. You can set Email message, SMS message or TOTP-generating Authenticator apps as a second factor.

  7. If you use SMS text messages as a second factor and you haven't configured an IAM role to use with Amazon Simple Notification Service (Amazon SNS) for SMS messages, create one in the console. In the Authentication methods menu for your user pool, locate SMS and choose Edit. You can also use an existing role that allows Amazon Cognito to send SMS messages to your users for you. For more information, see IAM Roles.

    If you use email messages as a second factor and you haven't configured an originating identity to use with Amazon Simple Email Service (Amazon SES) for email messages, create one in the console. You must choose the Send email with SES option. In the Authentication methods menu for your user pool, locate Email and choose Edit. Select a FROM email address from the available verified identities in the list. If you choose a verified domain, for example example.com, you must also configure a FROM sender name in the verified domain, for example admin-noreply@example.com.

  8. Choose Save changes.