Multi-Factor Authentication in AWS: A Practical Guide

What Is Multi-Factor Authentication (MFA)?

Multi-factor authentication (MFA) is a security mechanism that requires an individual to provide two or more pieces of evidence (or factors) to confirm their identity before gaining access to a system or data. These factors usually fall into one of three categories: something you know (like a password), something you have (like a physical token or access card), and something you are (like a fingerprint or retinal pattern).

MFA can help bolster the security of your AWS account and resources. When activated, MFA requires users to present not just their usual login credentials, but also a unique authentication code from an approved MFA device. This additional layer of security makes it even more difficult for potential attackers to access a user’s account, even if they somehow manage to get hold of a password.

Which AWS Identity Services Support MFA?

Amazon provides two cloud services that allow you to implement MFA: Amazon Cognito, which is an authentication solution you can use for any application, and AWS Identity and Access Management (IAM), which is used to control access to AWS cloud resources.

Amazon Cognito

Amazon Cognito is a service that makes it easy to add user sign-up, sign-in, and access control to your applications. It provides solutions to control access to backend resources from your app, and it handles much of the heavy lifting involved in managing users and their identities.

With Amazon Cognito, you can easily add MFA to your application’s sign-in flow. It supports two authentication methods in addition to username and password: SMS text messages and time-based one-time passwords (TOTP). Users have the option to choose their preferred MFA method.

Amazon Identity and Access Management (IAM)

AWS IAM is a solution that manages access to all AWS resources and services. It lets you create and manage AWS users and groups, and use permissions to allow and deny their access to AWS resources.

AWS IAM also allows you to enable MFA, adding an extra layer of protection on top of the standard username and password. This means that users must provide a unique authentication code from their MFA device, in addition to their regular AWS credentials, every time they sign in to their AWS account.

Amazon IAM provides several authentication methods in addition to the standard username and password:

FIDO security keys

Fast Identity Online (FIDO) security keys are physical devices that use public key cryptography to authenticate users. They are considered highly secure as they are resistant to phishing, man-in-the-middle, and replay attacks. AWS supports FIDO U2F and FIDO2 security keys, which can be used as an MFA device for AWS Management Console and AWS CLI operations.

Virtual authenticator apps

Virtual authenticators generate a time-based one-time password (TOTP) that users can enter during sign-in. They are easy to use and available for free on most smartphone platforms. AWS supports virtual MFA applications that adhere to the OATH TOTP standard, including Google Authenticator and Authy.

Hardware TOTP tokens

Hardware TOTP tokens are small, physical devices that generate an authentication code. They offer a higher level of security compared to virtual authenticator apps as they are immune to threats like malware or viruses, which could potentially infect a user’s mobile device. AWS supports any hardware token that follows the OATH TOTP standard.

Hardware TOTP tokens for AWS GovCloud (US) Regions

AWS GovCloud Regions are AWS data centers intended for use by U.S. government agencies requiring the highest level of security. For AWS GovCloud Regions, AWS offers specific Gemalto hardware tokens. These tokens generate a six-digit authentication code that users can enter during sign-in. They are compliant with the Federal Information Processing Standard (FIPS) 140-2 Level 3, ensuring a high level of security for sensitive government data.

Related content: Read our guide to multi factor authentication types

Amazon Cognito MFA Limitations

When using Amazon Cognito as your authentication solution, you should be aware of several limitations that were reported by users. The limitations below were shared via the G2 platform.

Setup and Configuration Process

The setup and configuration process of Amazon Cognito can be quite complex, especially when dealing with advanced functionalities or when customizing user flows. Navigating through the various components, configurations, and options requires a solid grasp of the AWS ecosystem, which can be overwhelming for newcomers.

Documentation

Documentation for Amazon Cognito has been critiqued for not being sufficiently detailed, particularly when it comes to explaining and implementing complex scenarios. Users have expressed a need for more comprehensive examples and use cases.

Usability

Users have reported issues with Amazon Cognito’s user interface (UI). In addition, the platform has been criticized for its lack of service integration and the absence of localization for error messages. Additionally, the minimal customization options for the custom login page is a notable concern.

Token Expiration Time

MFA requires tokens for authentication, and these tokens have predefined expiration times for security reasons. Some users find the default expiration times too short, which can interrupt workflows and lead to repeated authentications.

It is possible to extend token expiration times, but this can create security concerns. Administrators must ensure token expiration times are short enough to be effective without hampering productivity.

Limited Options for Customization

Amazon Cognito MFA provides limited options for customization, offering only two additional authentication factors. This can be a hindrance for organizations that require more tailored authentication flows or need to implement specific security policies that are not supported by the default MFA setup.

Setting Up Multi-Factor Authentication with Amazon Cognito

Let’s look at how to enable MFA using Amazon Cognito.

To activate MFA using the Amazon Cognito console:

Log in to the Amazon Cognito console.
Select User Pools.
Choose an existing user pool from the dropdown, or establish a new user pool.
Click on the Sign-in experience tab. Locate Multi-factor authentication and select Edit. Select one of the MFA enforcement options:

Mandatory MFA: All users in your pool must login with an additional SMS code or temporary one-time password (TOTP) factor.
Optional MFA: Users can choose to add an extra sign-in factor, but users who have not set up MFA can still log in. Go with this option if you’re applying adaptive authentication.
Disabling MFA: Users cannot add an extra sign-in factor.

Determine the MFA methods to integrate into your app. You can assign an SMS message or TOTP-generating Authenticator apps as a secondary factor. For account recovery purposes, it is advised to implement a TOTP-based MFA to allow the use of SMS messages.
If you have chosen SMS text messages as a secondary factor and haven’t set an IAM role for Amazon Simple Notification Service (Amazon SNS) for SMS messages, create one in the console. Find the SMS option in the Messaging tab for your user pool and select Edit. Alternatively, use an existing IAM role to allow Amazon Cognito to send SMS messages to users.
Select Save changes.

Frontegg: The Ultimate Amazon Cognito Alternative

The industry standard today involves the use of authentication providers to “build the door”, but what about Authorization (the door knob)? Most authentication vendors don’t go that extra mile, forcing SaaS vendors to invest in expensive in-house user management development. This often leads to delays in core technology development, which negatively impacts innovation and time-to-market (TTM) metrics.

rontegg’s end-to-end user management platform allows you to authenticate and authorize users with just a few clicks. Integration takes just a few minutes and a few lines of code, thanks to its plug-and-play nature. It’s also multi-tenant by design and self-served by nature, something that helps reduce friction and improves user satisfaction. Also, all roles and permissions can be managed via a centralized dashboard. It’s really that easy.

START FOR FREE

The Complete Guide to SaaS Multi-Tenant Architecture

Read case study

Cookie	Duration	Description
_vis_opt_s	3 months 8 days	Visual Website Optimizer sets this cookie to detect if there are new to or returning to a particular test.
_vis_opt_test_cookie	session	Visual Website Optimizer creates this cookie to determine whether or not cookies are enabled on the user's browser.
li_gc	6 months	Linkedin set this cookie for storing visitor's consent regarding using cookies for non-essential purposes.
lidc	1 day	LinkedIn sets the lidc cookie to facilitate data center selection.
messagesUtk	6 months	HubSpot sets this cookie to recognize visitors who chat via the chatflows tool.

Cookie	Duration	Description
_gcl_au	3 months	Google Tag Manager sets the cookie to experiment advertisement efficiency of websites using their services.
_hjSession_*	1 hour	Hotjar sets this cookie to ensure data from subsequent visits to the same site is attributed to the same user ID, which persists in the Hotjar User ID, which is unique to that site.
_hjSessionUser_*	1 year	Hotjar sets this cookie to ensure data from subsequent visits to the same site is attributed to the same user ID, which persists in the Hotjar User ID, which is unique to that site.
_hp2_ses_props.*	1 hour	Heap sets this cookie to store the timestamp and cookie domain or path.
_omappvp	1 year 1 month 4 days	The _omappvp cookie is set to distinguish new and returning users and is used in conjunction with _omappvs cookie.
_omappvs	20 minutes	The _omappvs cookie, used in conjunction with the _omappvp cookies, is used to determine if the visitor has visited the website before, or if it is a new visitor.
_vwo_uuid_v2	1 year	This cookie is set by Visual Website Optimiser and calculates unique traffic on a website.
cb_anonymous_id	1 year	Clearbit sets this cookie to track page views and traits for Clearbit.
cb_group_id	1 year	Clearbit sets this cookie to track page views and traits for Clearbit.

Cookie	Duration	Description
bcookie	1 year	LinkedIn sets this cookie from LinkedIn share buttons and ad tags to recognize browser IDs.
cb_user_id	1 year	Clearbit sets this cookie to collect data on visitors. This information is used to assign visitors into segments, making website advertising more relevant.

Cookie	Duration	Description
__Host-session	14 days	No description available.
__tld__	session	Description is currently not available.
_cfuvid	session	Description is currently not available.
_crowdcontrol_session_key	session	Description is currently not available.
_g2_session_id	session	Description is currently not available.
_hp2_hld346349427843107.1065080579	5 minutes	Description is currently not available.
_hp2_hld6722177740337317.1065080579	5 minutes	Description is currently not available.
_hp2_hld8090462093010520.1065080579	5 minutes	Description is currently not available.
cbtest	1 year	Description is currently not available.
debug	never	No description available.
events_distinct_id	session	Description is currently not available.
h1_device_id	1 year	Description is currently not available.
pfjscookies	1 year	Description is currently not available.