Amazon Cognito
Developer Guide (Version Last Updated: 08/26/2017)

Specifying User Pool MFA Setting and Email and Phone Verification Settings


To ensure that SMS messages are sent to verify phone numbers and for MFA, you must request an increased spend limit from Amazon SNS.

Amazon Cognito uses Amazon SNS for sending SMS messages to users. The number of SMS messages Amazon SNS delivers is subject to spend limits. Spend limits can be specified for an AWS account and for individual messages, and the limits apply only to the cost of sending SMS messages.

The default spend limit per account (if not specified) is 1.00 USD per month. If you want to raise the limit, submit an SNS Limit Increase case in the AWS Support Center. For New limit value, enter your desired monthly spend limit. In the Use Case Description field, explain that you are requesting an SMS monthly spend limit increase.

In the Verifications tab, you can choose settings for multi-factor authentication (MFA) and for email and phone verification.


SMS for MFA or for verifying phone numbers is charged separately. (There is no charge for sending verification codes to email addresses.) For information about Amazon SNS pricing, see Worldwide SMS Pricing. For the current list of countries where SMS messaging is available, see Supported Regions and Countries.

Multi-factor Authentication (MFA)

Multi-factor authentication (MFA) increases security for your app by requiring the user to receive and enter an authorization code when signing in to your app, in addition to their username (or alias) and password.

The following MFA settings are available:

  • Required: All users must use MFA. This setting can only be specified when the user pool is created.

  • Optional: Individual users can choose whether to enable MFA for their own user accounts.

  • Off: MFA is disabled for all users.

When MFA is required on a user pool, you must mark either the email attribute or the phone number attribute as required.

When a user signs in with MFA turned on, he or she first enters and submits his or her username and password. The client app will receive a getMFA response indicating where the authorization code was sent. The client app should tell the user where to look for the code (such as which phone number the code was sent to), provide a form for entering the code, and then submit the code to complete the sign-in process. The destination is masked (e.g., only last 4 digits of the phone number are displayed).

The authorization code is valid for 3 minutes.

If a user no longer has access to his or her device where MFA codes are sent, he or she must request help from your customer service office. An administrator with necessary AWS account permissions can change the user's phone number, but only via the AWS Command Line Interface or the API.

When a user successfully goes through the MFA flow, his or her phone number is also marked as verified.

Requiring Email and Phone Number Verification

Verification requires users to retrieve a code from their email or phone to confirm ownership. Verification of a phone or email is necessary to automatically confirm users and enable recovery from forgotten passwords.

Amazon Cognito can automatically verify email addresses and mobile phone numbers by sending a verification code—or, in the case of email, a verification link. For email addresses, the code or link is sent in an email message. For phone numbers, the code is sent in an SMS text message.

The verification code or link is valid for 24 hours.

If verification is selected as required for email or phone, the verification code or link is automatically sent when a user signs up.


The forgotten password flow requires either the user's email or the user's phone number to be verified.


If a user signs up with both a phone number and an email address, and your user pool settings require verification of both attributes, a verification code is sent via SMS to the phone. The email address is not verified, so your app needs to call GetUser to see if an email address is awaiting verification. If it is, the app should call GetUserAttributeVerificationCode to initiate the email verification flow and then submit the verification code by calling VerifyUserAttribute.

Authorizing Amazon Cognito to Send SMS Messages on Your Behalf

To send SMS messages to your users on your behalf, Amazon Cognito needs your permission. To grant that permission, you create an AWS Identity and Access Management (IAM) role by choosing Create role to create the role.