SMS text message MFA

When a user signs in with MFA enabled, they first enter and submit their username and password. The client app receives a getMFA response that indicates where the authorization code was sent. The client app should indicate to the user where to look for the code (such as which phone number the code was sent to). Next, it provides a form for entering the code. Finally, the client app submits the code to complete the sign-in process. The destination is masked, which hides all but the last four digits of the phone number. If an app is using the Amazon Cognito hosted UI, it shows a page for the user to enter the MFA code.

The SMS text message authorization code is valid for the Authentication flow session duration that you set for you app client.

Set the duration of an authentication flow session in the Amazon Cognito console in the App integration tab, when you modify your app client under App clients and analytics. You can also set the authentication flow session duration in a CreateUserPoolClient or UpdateUserPoolClient API request. For more information, see User pool authentication flow.

If a user no longer has access to their device where the SMS text message MFA codes are sent, they must request help from your customer service office. An administrator with necessary AWS account permissions can change the user's phone number, but only through the AWS CLI or the API.

When a user successfully goes through the SMS text message MFA flow, their phone number is also marked as verified.

Note

SMS for MFA is charged separately. (There is no charge for sending verification codes to email addresses.) For information about Amazon SNS pricing, see Worldwide SMS Pricing. For the current list of countries where SMS messaging is available, see Supported Regions and Countries.

Important

To ensure that SMS messages are sent to verify phone numbers and for SMS text message MFA, you must request an increased spend limit from Amazon SNS.

Amazon Cognito uses Amazon SNS for sending SMS messages to users. The number of SMS messages Amazon SNS delivers is subject to spend limits. Spend limits can be specified for an AWS account and for individual messages, and the limits apply only to the cost of sending SMS messages.

The default spend limit per account (if not specified) is 1.00 USD per month. If you want to raise the limit, submit an SNS Limit Increase case in the AWS Support Center. For New limit value, enter your desired monthly spend limit. In the Use Case Description field, explain that you're requesting an SMS monthly spend limit increase.

To add MFA to your user pool, see Adding MFA to a user pool. For more information about SMS messages with Amazon SNS in your user pool, see SMS message settings for Amazon Cognito user pools.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Adding MFA

TOTP software token MFA