Adding MFA to a user pool
Multi-factor authentication (MFA) increases security for your app. It adds a something you have authentication factor to the something you know factor of user name and password. You can choose SMS text messages or time-based one-time passwords (TOTP) as second factors to sign in your users.
The first time that a new user signs in to your app, Amazon Cognito issues OAuth 2.0 tokens, even if your user pool requires MFA. The second authentication factor when your user signs in for the first time is their confirmation of the verification message that Amazon Cognito sends to them. If your user pool requires MFA, Amazon Cognito prompts your user to register an additional sign-in factor to use during each sign-in attempt after the first.
With adaptive authentication, you can configure your user pool to require second factor authentication in response to an increased risk level. To add adaptive authentication to your user pool, see Adding advanced security to a user pool.
When you set MFA to required
for a user pool, all users must complete MFA to
sign in. To sign in, each user must set up at least one MFA factor, such as SMS or TOTP. When
you set MFA to required
, you must include the MFA setup in user onboarding so
that your user pool permits them to sign in.
If you activate SMS as an MFA factor, you can require that users provide phone numbers and
have your users verify them during sign-up. If you have set MFA to required
and
only support SMS as a factor, users will need to provide phone numbers. Users without phone
numbers need your support to add a phone number to their profile before they can sign in. You
can use unverified phone numbers for SMS MFA. These numbers will receive verified status after
MFA succeeds.
If you have set MFA to required
and you activated SMS and TOTP as supported
verification methods, Amazon Cognito prompts new users without phone numbers to set up TOTP MFA. If you
have set MFA to required
and the only MFA method you activated is TOTP, Amazon Cognito
prompts all new users to set up TOTP MFA the second time they sign in. Amazon Cognito generates a
challenge to set up TOTP MFA in response to InitiateAuth and AdminInitiateAuth API operations.
Topics
Prerequisites
Before you set up MFA, consider the following:
-
In the legacy Amazon Cognito console, you can only set MFA as Required when you initially create a user pool. Switch to the new console or use the SetUserPoolMfaConfig API operation to set MFA to
required
for existing user pools. -
When you activate MFA in your user pool and choose SMS text message as a second factor, you can send SMS messages to a phone number attribute that you haven't verified in Amazon Cognito. After your user completes SMS MFA, Amazon Cognito sets their
phone_number_verified
attribute totrue
. -
If your account is in the SMS sandbox in the AWS Region that contains the Amazon Simple Notification Service (Amazon SNS) resources for your user pool, you must verify phone numbers in Amazon SNS before you can send an SMS message. For more information, see SMS message settings for Amazon Cognito user pools.
-
Advanced security features require that you activate MFA and set it as optional in the Amazon Cognito user pool console. For more information, see Adding advanced security to a user pool.
Configuring multi-factor authentication
You can configure MFA in the Amazon Cognito console.