SMS text message MFA
When a user signs in with MFA enabled, they first enter and submit their username and
password. The client app receives a getMFA
response that indicates where the
authorization code was sent. The client app should indicate to the user where to look for
the code (such as which phone number the code was sent to). Next, it provides a form for
entering the code. Finally, the client app submits the code to complete the sign-in process.
The destination is masked, which hides all but the last four digits of the phone number. If
an app is using the Amazon Cognito hosted UI, it shows a page for the user to enter the MFA
code.
The SMS text message authorization code is valid for the Authentication flow session duration that you set for you app client.
Set the duration of an authentication flow session in the Amazon Cognito console in the
App integration tab, when you modify your app client under
App clients and analytics. You can also set the authentication flow
session duration in a CreateUserPoolClient
or UpdateUserPoolClient
API request. For more information, see User pool authentication
flow.
If a user no longer has access to their device where the SMS text message MFA codes are sent, they must request help from your customer service office. An administrator with necessary AWS account permissions can change the user's phone number, but only through the AWS CLI or the API.
When a user successfully goes through the SMS text message MFA flow, their phone number is also marked as verified.
Note
SMS for MFA is charged separately. (There is no charge for sending verification codes
to email addresses.) For information about Amazon SNS pricing, see Worldwide SMS Pricing
Important
To ensure that SMS messages are sent to verify phone numbers and for SMS text message MFA, you must request an increased spend limit from Amazon SNS.
Amazon Cognito uses Amazon SNS for sending SMS messages to users. The number of SMS messages Amazon SNS delivers is subject to spend limits. Spend limits can be specified for an AWS account and for individual messages, and the limits apply only to the cost of sending SMS messages.
The default spend limit per account (if not specified) is 1.00 USD per month. If you want to raise the limit, submit an SNS Limit Increase case in the AWS Support Center. For New limit value, enter your desired monthly spend limit. In the Use Case Description field, explain that you're requesting an SMS monthly spend limit increase.
To add MFA to your user pool, see Adding MFA to a user pool. For more information about SMS messages with Amazon SNS in your user pool, see SMS message settings for Amazon Cognito user pools.