Adding Multi-Factor Authentication (MFA) to a User Pool
Multi-factor authentication (MFA) increases security for your app by adding another authentication method, and not relying solely on user name and password. You can choose to use SMS text messages, or time-based one-time (TOTP) passwords as second factors in signing in your users.
With adaptive authentication, you can configure your user pool to require second factor authentication in response to an increased risk level. To add adaptive authentication to your user pool, see Adding Advanced Security to a User Pool.
Topics
Prerequisites
Before you begin, you need:
-
You can only choose MFA as Required when you initially create a user pool.
-
Phone numbers must be verified if MFA is enabled and SMS text message is chosen as a second factor.
-
Advanced security features require that MFA is enabled, and set as optional in the Amazon Cognito user pool console. For more information, see Adding Advanced Security to a User Pool.
Configuring Multi-Factor Authentication
To configure MFA in the Amazon Cognito console
-
From the left navigation bar, choose MFA and verifications.
-
Choose whether MFA is Off, Optional, or Required.
-
Choose Optional to enable MFA on a per-user basis, or if you are using the risk-based adaptive authentication. For more information on adaptive authentication, see Adding Advanced Security to a User Pool.
-
Your users can use SMS text message or Time-based One-time Password as a second factor. Choose which second factors to support in your app. We recommend using TOTP for second factor. This allows SMS to be used as a password recovery mechanism which is disjoint from an authentication factor.
-
If you're using SMS text messages as a second factor and you don't have an IAM role defined with this permission, then you can create one in the console. Choose Create role to create an IAM role to allow Amazon Cognito to send SMS messages to your users on your behalf. For more information, see IAM Roles.
-
Choose Save changes.
