Email MFA

Note

This page covers the additional capabilities that Amazon Cognito user pools advanced security features add to multi-factor authentication (MFA). For a full overview of MFA, see Adding MFA to a user pool.

Amazon Cognito user pools with advanced security features can be configured to use email as the second factor in multi-factor authentication (MFA). With email MFA, Amazon Cognito can send users an email with a verification code that they must enter to complete the authentication process. This adds an important extra layer of security to the user login flow. To enable email-based MFA, the user pool must be configured to use the Amazon SES email-sending configuration instead of the default email configuration.

When your user selects MFA by email message, Amazon Cognito will send a one-time verification code to the user's registered email address whenever they attempt to sign in. The user must then provide this code back to your user pool to complete the authentication flow and gain access. This ensures that even if a user's username and password are compromised, they must provide an additional factor—the emailed code—before they can access your application resources.

For more information, see SMS and email message MFA. The following is an overview of how to set up your user pool and users for email MFA.

To set up email MFA

1. Activate advanced security features.

2. In the Sign-in experience tab of your user pool, locate Multi-factor authentication and select Edit.

3. Choose the level of MFA enforcement that you want to set up. With Require MFA, users in the API automatically receive a challenge to set up, confirm, and sign in with MFA. In user pools that require MFA, the hosted UI prompts them to choose and set up an MFA factor. With Optional MFA, your application must offer users the option to set up MFA and set the user's preference for email MFA.

4. Under MFA methods, select Email message as one of the options.

5. Choose Save changes.