Menu
Amazon Cognito
Developer Guide

Adaptive Authentication

Adaptive authentication increases the security of user sign-in with Amazon Cognito User Pools without adding unnecessary friction for your users. For each sign-in attempt, Amazon Cognito calculates a risk score for whether the attempt is from an attacker. This risk score is based on many factors, including whether the device is unrecognized, the user location is new, the IP address is new, etc. You can configure your user pool to block sign-ins or require second factors at different risk levels.

In the Advanced security tab, you can choose settings for adaptive authentication, including what actions to take at different risk levels and customization of notification messages to users.

For each risk level, you can choose from the following options:

Option

Action

Allow The sign-in attempt is allowed without an additional factor.
Optional MFA Users who have MFA configured will be required to complete a second factor challenge to sign in; users who do not have MFA configured will be allowed to sign in without an additional factor.
Require MFA Users who have MFA configured will be required to complete a second factor challenge to sign in; users who do not have MFA configured will be blocked from signing in.
Block All sign-in attempts at that risk level will be blocked.

You can also choose whether to notify users with emails about sign-in attempts at each risk level. For more information, see Notification Messages and Feedback.

Amazon Cognito will publish sign-in attempts, their risk levels, and failed challenges to Amazon CloudWatch. For more information, see Viewing Advanced Security Metrics.

You should incorporate the latest Amazon Cognito SDK into your app to enable adaptive authentication to collect device fingerprinting information, such as device ID, model, and timezone, among other context features.

Note

If you call Amazon Cognito APIs such as AdminInitiateAuth or AdminRespondToAuthChallenge from your server, you will need to pass the source IP of the user in the ContextData, in addition to your server name, server path, and encoded device fingerprinting data collected using the Amazon Cognito context data collection library.

Notification Messages and Feedback

Amazon Cognito advanced security protections can notify your users of sign-in attempts, prompt them to click links to indicate if the sign-in was valid or invalid, and use their feedback to improve the risk detection accuracy for your user pool. You can customize the emails and provide both plaintext and HTML versions.

In addition, you can provide feedback on the validity of sign-in attempts through the Amazon Cognito console and APIs. In the console, on the Users and groups tab, the sign-in history is listed, and if you click an entry, you can mark the event as valid or invalid. You can also provide feedback through the AdminUpdateEventFeedback API. Event feedback affects the risk evaluation in real time as well as improves the risk evaluation algorithm over time.

Event User History

In the Users and groups tab of the Amazon Cognito console, select a user to see that user’s recent sign-in events. Each sign-in event has an event ID, context data such as location, device details, and risk detection results associated with it.

You can correlate the event id to the token issued as well. The issued token, such as the ID token and access token, will carry this event id in its payload. Even using the refresh token will persist the original event ID, which can be traced back to the event ID of the sign-in event that resulted in issuing the Amazon Cognito tokens. This enables you to trace usage of a token within your system to a particular authentication event.