Adding multi-factor authentication (MFA) to a user pool

Multi-factor authentication (MFA) increases security for your app by adding another authentication method and not relying solely on user name and password. You can choose to use SMS text messages or time-based one-time (TOTP) passwords as second factors in signing in your users.

With adaptive authentication, you can configure your user pool to require second factor authentication in response to an increased risk level. To add adaptive authentication to your user pool, see Adding advanced security to a user pool.

When multi-factor authentication (MFA) is set to requiredfor a user pool, all users must complete MFA to sign in. Each user needs at least one MFA factor such as SMS or TOTP setup to sign in. To avoid having users blocked from signing in when MFA is required, you must include the MFA setup in user onboarding.

If you enable SMS as an MFA factor, you can require phone numbers and have them verified during sign-up. If you have MFA set to required and only support SMS as a factor, most users will need to have a phone number. Users without phone numbers will need your support to add a phone number to their profile before they can sign in. You can use unverified phone numbers for SMS MFA. These numbers will have a verified status after multi-factor authentication succeeds.

Setting up users in user pools for TOTP tokens occurs during initial sign-in. The setting to enable or disable TOTP as an MFA factor for a user pool controls whether users can set up TOTP for themselves. If your users have set up TOTP, they can use it for MFA even if TOTP is later disabled for the user pool.

Topics

• Prerequisites
• Configuring multi-factor authentication
• SMS text message MFA
• TOTP software token MFA

Prerequisites

Before you begin, you need the following:

• You can only choose MFA as Required in the Amazon Cognito user pool console when you initially create a user pool. The SetUserPoolMfaConfig API operation can be used to set MFA to required for existing user pools.

• Phone numbers must be verified if MFA is enabled and SMS text message is chosen as a second factor.

• Advanced security features require that MFA is enabled, and set as optional in the Amazon Cognito user pool console. For more information, see Adding advanced security to a user pool.

Configuring multi-factor authentication

You can configure MFA in the Amazon Cognito console.

Original console

To configure MFA in the Amazon Cognito console

1. From the left navigation bar, choose MFA and verifications.

2. Choose whether MFA is Off, Optional, or Required.

   

3. Choose Optional to enable MFA on a per-user basis or if you are using the risk-based adaptive authentication. For more information on adaptive authentication, see Adding advanced security to a user pool.

4. Choose which second factors to support in your app. Your users can use SMS text message or Time-based One-time Password as a second factor. We recommend using TOTP, which allows SMS to be used as a password recovery mechanism rather than as an authentication factor.

5. If you're using SMS text messages as a second factor and you don't have an IAM role defined with this permission, then you can create one in the console. Choose Create role to create an IAM role that allows Amazon Cognito to send SMS messages to your users on your behalf. For more information, see IAM Roles.

6. Choose Save changes.

New console

To configure MFA in the Amazon Cognito console

1. Go to the Amazon Cognito console. If prompted, enter your AWS credentials.

2. Choose User Pools.

3. Choose an existing user pool from the list, or create a user pool.

4. Choose the Sign-in experience tab. Locate Multi-factor authentication and choose Edit

5. Choose the MFA enforcement method you want to use with your user pool.

   1. Require MFA - All users in your user pool must sign in with an additional SMS code or time-based one-time password (TOTP) factor.

   2. Optional MFA - You can give your users the option to register and additional sign-in factor and still allow sign-in by users without MFA configured. Choose this option if you are using adaptive authentication. For more information on adaptive authentication, see Adding advanced security to a user pool.

   3. No MFA - Your users will not be able to register an additional sign-in factor.

6. Choose the MFA methods that you will support in your app. You can allow SMS message or Authenticator apps with TOTPs as a second factor. We recommend that you implement TOTP-based MFA, allowing SMS to be used for account recovery.

7. If you're using SMS text messages as a second factor and you don't have an AWS Identity and Access Management role configured to use with Amazon Simple Notification Service for SMS messages, you can create one in the console. In the Messaging tab for your user pool, locate SMS and choose Edit to create an IAM role, or use an existing role, that allows Amazon Cognito to send SMS messages to your users on your behalf. For more information, see IAM Roles.

8. Choose Save changes.