Adding MFA to a user pool
MFA adds a something you have authentication factor to the initial something you know factor that is typically a username and password. You can choose SMS text messages, email messages, or time-based one-time passwords (TOTP) as additional factors to sign in your users.
Multi-factor authentication (MFA) increases security for the local users in your application. In the case of federated users, Amazon Cognito delegates all authentication processes to the IdP and doesn't offer them additional authentication factors.
Note
The first time that a new user signs in to your app, Amazon Cognito issues OAuth 2.0 tokens, even if your user pool requires MFA. The second authentication factor when your user signs in for the first time is their confirmation of the verification message that Amazon Cognito sends to them. If your user pool requires MFA, Amazon Cognito prompts your user to register an additional sign-in factor to use during each sign-in attempt after the first.
With adaptive authentication, you can configure your user pool to require an additional authentication factor in response to an increased risk level. To add adaptive authentication to your user pool, see Advanced security with threat protection.
When you set MFA to required
for a user pool, all users must complete MFA to
sign in. To sign in, each user must set up at least one MFA factor. When MFA is required, you
must include the MFA setup in user onboarding so that your user pool permits them to sign
in.
Managed login prompts users to set up MFA when you set MFA to be required. When you set MFA to be optional in your user pool, managed login doesn't prompt users. To work with optional MFA, you must build an interface in your app that prompts your users to select that they want to set up MFA, then guides them through the API inputs to verify their additional sign-in factor.
Topics
Things to know about user pool MFA
Before you set up MFA, consider the following:
-
A user's preferred MFA method influences the methods they can use to recover their password. Users whose preferred MFA is by email message can't receive a password-reset code by email. Users whose preferred MFA is by SMS message can't receive a password-reset code by SMS.
Your password recovery settings must provide an alternative option when users aren't eligible for your preferred password-reset method. For example, your recovery mechanisms might have email as first priority and email MFA might be an option in your user pool. In this case, add SMS-message account recovery as a second option or use administrative API operations to reset passwords for those users.
-
Users can't receive MFA and password reset codes at the same email address or phone number. If they use one-time passwords (OTPs) from email messages for MFA, they must use SMS messages for account recovery. If they use OTPs from SMS messages for MFA, they must use email messages for account recovery. In user pools with MFA, users might be unable to complete self-service password recovery if they have attributes for their email address but no phone number, or their phone number but no email address.
To prevent the state where users can't reset their passwords in user pools with this configuration, set the
email
andphone_number
attributes as required. As an alternative, you can set up processes that always collect and set those attributes when users sign up or when your administrators create user profiles. When users have both attributes, Amazon Cognito automatically sends password-reset codes to the destination that is not the user's MFA factor. -
When you activate MFA in your user pool and choose SMS message or Email message as a second factor, you can send messages to a phone number or email attribute that you haven't verified in Amazon Cognito. After your user completes MFA, Amazon Cognito sets their
phone_number_verified
oremail_verified
attribute totrue
. -
After five unsuccessful attempts to present an MFA code, Amazon Cognito begins the exponential-timeout lockout process described at Lockout behavior for failed sign-in attempts.
-
If your account is in the SMS sandbox in the Amazon Web Services Region that contains the Amazon Simple Notification Service (Amazon SNS) resources for your user pool, you must verify phone numbers in Amazon SNS before you can send an SMS message. For more information, see SMS message settings for Amazon Cognito user pools.
-
To change the MFA status of users in response to detected events with threat protection, activate MFA and set it as optional in the Amazon Cognito user pool console. For more information, see Advanced security with threat protection.
-
Email and SMS messages require that your users have email address and phone number attributes respectively. You can set
email
orphone_number
as required attributes in your user pool. In this case, users can't complete sign-up unless they provide a phone number. If you don't set these attributes as required but want to do email or SMS message MFA, you prompt users for their email address or phone number when they sign up. As a best practice, configure your user pool to automatically message users to verify these attributes.Amazon Cognito counts a phone number or email address as verified if a user has successfully received a temporary code by SMS or email message and returned that code in a VerifyUserAttribute API request. As an alternative, your team can set phone numbers and mark them as verified with an administrative application that performs AdminUpdateUserAttributes API requests.
-
If you have set MFA to be required and you activated more than one authentication factor, Amazon Cognito prompts new users to select an MFA factor that they want to use. Users must have a phone number to set up SMS message MFA, and an email address to set up email message MFA. If a user doesn't have the attribute defined for any available message-based MFA, Amazon Cognito prompts them to set up TOTP MFA. The prompt to choose an MFA factor (
SELECT_MFA_TYPE
) and to set up a chosen factor (MFA_SETUP
) comes in as a challenge response to InitiateAuth and AdminInitiateAuth API operations.
User MFA preferences
Users can set up multiple MFA factors. Only one can be active. You can choose the effective MFA preference for your users in user pool settings or from user prompts. A user pools prompts a user for MFA codes when user pool settings and their own user-level settings meet the following conditions:
-
You set MFA to optional or required in your user pool.
-
The user has a valid
email
orphone_number
attribute, or has set up an authenticator app for TOTP. -
At least one MFA factor is active.
-
One MFA factor is set as preferred.
User pool settings and their effect on MFA options
The configuration of your user pool influences the MFA methods that users can choose. The following are some user pool settings that influence users’ ability to set an MFA preference:
-
In the Multi-factor authentication configuration in the Sign-in menu of the Amazon Cognito console, you can set MFA to optional or required, or turn it off. The API equivalent of this setting is the MfaConfiguration parameter of
CreateUserPool
,UpdateUserPool
, andSetUserPoolMfaConfig
.Also in the Multi-factor authentication configuration, the MFA methods setting determines the MFA factors that users can set up. The API equivalent of this setting is the SetUserPoolMfaConfig operation.
In the Sign-in menu, under User account recovery, you can configure the way that your user pool sends messages to users who forget their password. A user’s preferred MFA method can’t have the same delivery method as the highest-priority Recovery message delivery method in your user pool. The API equivalent of this configuration is the AccountRecoverySetting parameter of
CreateUserPool
andUpdateUserPool
.For example, users can’t set email MFA as preferred when your recovery option is Email only or Email if available, otherwise SMS. Change the delivery method to SMS only or SMS if available, otherwise email.
-
If you set only one MFA method as available, you don’t need to manage user MFA preferences.
-
An active SMS configuration automatically makes SMS messages an available MFA method in your user pool.
An active email configuration with your own Amazon SES resources in a user pool, and the Essentials or Plus feature plan, automatically makes email messages an available MFA method in your user pool.
-
When you set MFA to required in a user pool, users can’t enable or disable any MFA methods. You can only set a preferred method.
-
When you set MFA to optional in a user pool, managed login doesn’t prompt users to set up MFA, but it does prompt users for an MFA code when they have a preferred MFA method.
-
When you activate threat protection and configure adaptive-authentication responses in full-function mode, MFA must be optional in your user pool. One of the response options with adaptive authentication is to require MFA for a user whose sign-in attempt is evaluated to contain a level of risk.
The Required attributes setting in the Sign-up menu of the console determines whether users must provide an email address or phone number to sign up in your application. Email and SMS messages become eligible MFA factors when a user has the corresponding attribute. The Schema parameter of
CreateUserPool
sets attributes as required. -
When you set MFA to required in a user pool and a user signs in with managed login, Amazon Cognito prompts them to select an MFA method from the available methods for your user pool. Managed login handles the collection of an email address or phone number and the setup of TOTP.
The following table lists the detailed effects of user pool configuration on sign-in attempts immediately after initial sign-up.
Details | MFA required | TOTP enabled | SMS enabled | Email enabled | Has email address | Has phone number | Outcome after sign-up (managed login) | Challenge/Outcome after sign-up (SDK) |
---|---|---|---|---|---|---|---|---|
All enabled | TRUE | TRUE | TRUE | TRUE | TRUE | TRUE | Select a factor | SELECT_MFA_TYPE |
TRUE | TRUE | TRUE | TRUE | FALSE | FALSE | Set up TOTP | MFA_SETUP 1 |
|
TRUE | TRUE | TRUE | TRUE | TRUE | FALSE | Select a factor | SELECT_MFA_TYPE 2 |
|
TRUE | TRUE | TRUE | TRUE | FALSE | TRUE | Select a factor | SELECT_MFA_TYPE 3 |
|
TOTP and email enabled | TRUE | TRUE | FALSE | TRUE | TRUE | TRUE | Select a factor | SELECT_MFA_TYPE |
TRUE | TRUE | FALSE | TRUE | TRUE | FALSE | Select a factor | SELECT_MFA_TYPE |
|
TRUE | TRUE | FALSE | TRUE | FALSE | TRUE | Select a factor | SELECT_MFA_TYPE |
|
TRUE | TRUE | FALSE | TRUE | FALSE | FALSE | Set up TOTP | MFA_SETUP |
|
TOTP and SMS enabled | TRUE | TRUE | TRUE | FALSE | TRUE | TRUE | Select a factor | SELECT_MFA_TYPE |
TRUE | TRUE | TRUE | FALSE | TRUE | FALSE | Select a factor | SELECT_MFA_TYPE |
|
TRUE | TRUE | TRUE | FALSE | FALSE | TRUE | Select a factor | SELECT_MFA_TYPE |
|
TRUE | TRUE | TRUE | FALSE | FALSE | FALSE | Set up TOTP | MFA_SETUP |
|
Only TOTP enabled | TRUE | TRUE | FALSE | FALSE | TRUE | TRUE | Set up TOTP | MFA_SETUP |
TRUE | TRUE | FALSE | FALSE | TRUE | FALSE | Set up TOTP | MFA_SETUP |
|
TRUE | TRUE | FALSE | FALSE | FALSE | TRUE | Set up TOTP | MFA_SETUP |
|
TRUE | TRUE | FALSE | FALSE | FALSE | FALSE | Set up TOTP | MFA_SETUP |
|
Email and SMS enabled | TRUE | FALSE | TRUE | TRUE | TRUE | TRUE | Email MFA is SMS used for recovery, SMS MFA if email is used for recovery, Select a factor if self-service recovery disabled | SELECT_MFA_TYPE , EMAIL_OTP , or
SMS_MFA |
TRUE | FALSE | TRUE | TRUE | TRUE | FALSE | Email MFA | EMAIL_OTP |
|
TRUE | FALSE | TRUE | TRUE | FALSE | TRUE | SMS MFA | SMS_MFA |
|
TRUE | FALSE | TRUE | TRUE | FALSE | FALSE | Can't sign up | InvalidUserPoolConfigurationException |
|
Only email enabled | TRUE | FALSE | FALSE | TRUE | TRUE | TRUE | Email MFA | EMAIL_OTP |
TRUE | FALSE | FALSE | TRUE | TRUE | FALSE | Email MFA | EMAIL_OTP |
|
TRUE | FALSE | FALSE | TRUE | FALSE | TRUE | Can't sign up | InvalidUserPoolConfigurationException |
|
TRUE | FALSE | FALSE | TRUE | FALSE | FALSE | Can't sign up | InvalidUserPoolConfigurationException |
|
Only SMS enabled | TRUE | FALSE | TRUE | FALSE | TRUE | TRUE | SMS MFA | SMS_MFA |
TRUE | FALSE | TRUE | FALSE | TRUE | FALSE | Can't sign up | InvalidUserPoolConfigurationException |
|
TRUE | FALSE | TRUE | FALSE | FALSE | TRUE | SMS MFA | SMS_MFA |
|
TRUE | FALSE | TRUE | FALSE | FALSE | FALSE | Can't sign up | InvalidUserPoolConfigurationException |
|
MFA not required | Optional | Any | Any | Any | Any | Any | Signed in. Application admin must take action to register TOTP or set MFA preference. | AuthenticationResult or next challenge |
Off | Any | Any | Any | Any | Any | Signed in. | AuthenticationResult or next challenge |
1 If you've already registered a TOTP for the user, issues
a SOFTWARE_TOKEN_MFA
challenge.
2 If you've already registered a TOTP for the user. If no
TOTP is registered, issues an EMAIL_OTP
challenge.
3 If you've already registered a TOTP for the user. If no
TOTP is registered, issues an SMS_MFA
challenge.
API operations for configuring MFA preferences
You can configure MFA preferences for users in a self-service model with access-token
authorization, or in an administrator-managed model with administrative API operations.
These operations enable or disable MFA methods and set one of multiple methods as the
preferred option. After your user has set an MFA preference, Amazon Cognito prompts them at
sign-in to provide a code from their preferred MFA method. Users who have not set a
preference receive a prompt to choose a preferred method in a SELECT_MFA_TYPE
challenge.
-
In a user self-service model or public application, SetUserMfaPreference
, authorized with a signed-in user’s access token, sets MFA configuration. -
In an administrator-managed or confidential application, AdminSetUserPreference
, authorized with administrative Amazon credentials, sets MFA configuration.
You can also set user MFA preferences from the Users menu of the Amazon Cognito console. For more information about the public and confidential authentication models in the Amazon Cognito user pools API, see Understanding API, OIDC, and managed login pages authentication.
Configuring a user pool for multi-factor authentication
You can configure MFA in the Amazon Cognito console.
To configure MFA in the Amazon Cognito console
-
Sign in to the Amazon Cognito console
. -
Choose User Pools.
-
Choose an existing user pool from the list, or create a user pool.
-
Choose the Sign-in menu. Locate Multi-factor authentication and choose Edit.
-
Choose the MFA enforcement method that you want to use with your user pool.
-
Require MFA. All users in your user pool must sign in with an additional SMS, email, or time-based one-time password (TOTP) code as an additional authentication factor.
-
Optional MFA. You can give your users the option to register an additional sign-in factor but still permit users who haven't configured MFA to sign in. If you use adaptive authentication, choose this option. For more information about adaptive authentication, see Advanced security with threat protection.
-
No MFA. Your users can't register an additional sign-in factor.
-
-
Choose the MFA methods that you support in your app. You can set Email message, SMS message or TOTP-generating Authenticator apps as a second factor.
-
If you use SMS text messages as a second factor and you haven't configured an IAM role to use with Amazon Simple Notification Service (Amazon SNS) for SMS messages, create one in the console. In the Authentication methods menu for your user pool, locate SMS and choose Edit. You can also use an existing role that allows Amazon Cognito to send SMS messages to your users for you. For more information, see IAM Roles.
If you use email messages as a second factor and you haven't configured an originating identity to use with Amazon Simple Email Service (Amazon SES) for email messages, create one in the console. You must choose the Send email with SES option. In the Authentication methods menu for your user pool, locate Email and choose Edit. Select a FROM email address from the available verified identities in the list. If you choose a verified domain, for example
example.com
, you must also configure a FROM sender name in the verified domain, for exampleadmin-noreply@example.com
. -
Choose Save changes.