AWS Cognito

AWS Cognito MFA: The Basics and a Quick Tutorial

What Is AWS Cognito? 

AWS Cognito is a managed service provided by Amazon Web Services that simplifies user authentication, authorization, and user management for web and mobile applications. It supports sign-in with social identity providers such as Google, Facebook, and Amazon, along with enterprise identity providers via SAML 2.0. 

This service offers components to control user authentication and secure access within applications, enhancing security and user experience.

Beyond basic authentication services, AWS Cognito facilitates the synchronization of user data across devices and supports offline access to application data. It provides scalability and reliability as user bases grow, managing data storage securely without the need for an internal backend system to handle user sessions and data management.

In this article:

What Is Multi-Factor Authentication (MFA)? 

Multi-factor authentication (MFA) is a security mechanism that requires more than one method of authentication from independent categories of credentials to verify the user’s identity for a login or other transaction. MFA combines two or more independent credentials: what the user knows (password), what the user has (security token), and what the user is (biometric verification).

The goal of MFA is to create a layered defense and make it more difficult for an unauthorized person to access a target such as a physical location, computing device, network, or database. If one factor is compromised or broken, the attacker still has at least one more barrier to breach before successfully breaking into the target.

MFA Methods in AWS Cognito 

Here are some of the authentication methods supported by Cognito.

SMS Text Message MFA

SMS authentication adds a layer of security by sending a code to the user’s mobile phone, which must be entered in addition to the usual login credentials. This method capitalizes on the user’s possession of the mobile device as an authentication factor, reducing risks such as password theft.

TOTP Software Token MFA

TOTP (Time-Based One-Time Password) software tokens work by generating a temporary code that users enter during the authentication process, used in conjunction with a device-based application like Google Authenticator or Authy. This method relies on a shared secret and the current time to create a unique code, enhancing security by ensuring that the code is constantly changing.

Tutorial: Adding MFA to a User Pool in Amazon Cognito

Prior Considerations

Before implementing MFA in your AWS Cognito user pool, consider these elements:

  • Unverified phone numbers: If you choose SMS text message MFA, AWS Cognito allows you to send messages to phone numbers that haven’t been verified. Once the SMS MFA process is completed by a user, their phone_number_verified attribute within Cognito will be set to true automatically.
  • SMS sandbox: If your account resides within the SMS sandbox environment for the AWS Region linked to your user pool, you must verify all phone numbers through 
  • Activate MFA in Cognito console: Advanced security features require that you activate MFA and set it as optional in the Amazon Cognito user pool console.

Adding a Verified Phone Number in Amazon SNS

The first step to setting up MFA is to define one or more verified phone numbers in Amazon Simple Notification Service (SNS). Visit the Amazon SNS Console.

Click on the Add Phone Number.

After adding the phone number, you will be taken to a verification screen. An SMS will be dispatched to the phone number you provided. Type in Verification Code and click on the Verify phone number. If it matches, the verified phone will appear under Sandbox destination phone numbers on the Amazon SNS main screen:

Configuring MFA

To set up MFA in your AWS Cognito user pool, follow these steps:

  1. Access the Amazon Cognito console, click on User Pools, and pick an existing user pool from the list (or create one).
  1. For an existing Pool, navigate to the Sign-in experience tab, locate the Multi-factor authentication section, and click Edit.
  2. Select the MFA option you need:
    Require MFA: All users must authenticate using an additional factor like SMS or TOTP.
    Optional MFA: Users have the option to use a second factor, but it is not mandatory. This is suitable for setups using adaptive authentication.
    No MFA: MFA is not enabled, and users cannot register additional sign-in factors.
  3. Choose MFA methods: Select the authentication methods available for your application, such as SMS or TOTP (via apps like Google Authenticator).
  4. Configure SMS settings: If using SMS, ensure an IAM role for Amazon SNS is set up to allow Cognito to send SMS messages. This can be configured under the Messaging tab by selecting SMS and then Edit, or you can utilize an existing IAM role.
  5. Save your configuration: After making all necessary changes and selections, click Save changes to apply the MFA settings to your user pool.

Note: If you are creating a new pool, you can set up Multi-factor authentication in the Configure Security Requirements screen.

Limitations of AWS Cognito 

When evaluating AWS Cognito’s MFA functionality, you should be aware of several limitations in the platform, as reported by users on the G2 platform.

Complexity and Technical Requirements

AWS Cognito has a complex setup process that requires a thorough understanding of the AWS ecosystem. This can be a barrier for users with limited technical expertise or those new to AWS services. Navigating through the options and configurations necessary to tailor Cognito to specific needs often results in a steep learning curve.

Note: If you are creating a new pool, you can set up Multi-factor authentication in the Configure Security Requirements screen.

Limitations of AWS Cognito 

When evaluating AWS Cognito’s MFA functionality, you should be aware of several limitations in the platform, as reported by users on the G2 platform.

Complexity and Technical Requirements

AWS Cognito has a complex setup process that requires a thorough understanding of the AWS ecosystem. This can be a barrier for users with limited technical expertise or those new to AWS services. Navigating through the options and configurations necessary to tailor Cognito to specific needs often results in a steep learning curve.

Inadequate Documentation

The documentation provided for AWS Cognito sometimes lacks the detailed, step-by-step examples that developers need to effectively implement the service in complex scenarios. This gap can create challenges in understanding and applying the service’s capabilities, leading to potential misconfigurations or prolonged development times as teams interpret the general guidelines provided.

Customization Constraints

AWS Cognito offers limited customization options, which can be a drawback for businesses needing to integrate the service seamlessly with their existing systems or to enhance the user interface to reflect their branding. These constraints restrict the ability to provide a fully personalized user experience.

Rising Costs with Scaling

The pricing model of AWS Cognito, particularly when scaling up the user base, can become a financial concern. As features like SMS-based MFA involve per-message costs, organizations with a large number of users can face significant expenses, which may not be sustainable in the long term.

User Interface and Service Integration

The user interface of AWS Cognito often receives mixed reviews, with some users finding it less intuitive compared to other authentication services. The interface design, including navigation and menu options, sometimes lacks the clarity and ease of use needed for efficient system management. Integrating Cognito with other services can sometimes be more complicated than expected. 

Frontegg: The Ultimate AWS Cognito Alternative

Frontegg offers robust multi-factor authentication (MFA) capabilities, providing both flexibility and security for its users. Unlike AWS Cognito, Frontegg allows customization of MFA policies, enabling organizations to define if MFA should be enforced, optional, or exempt for enterprise SSO users. Frontegg supports various MFA methods, including authenticator apps, SMS, security keys, and built-in authenticators like Touch ID and Windows Hello. 

Frontegg also introduces Adaptive MFA, a dynamic authentication feature that balances security and user convenience. Adaptive MFA assesses the risk level of each login attempt by analyzing various factors such as new devices, unusual locations, or potential bot activity. If a login attempt is deemed risky, the system prompts for an additional authentication factor, ensuring robust security without imposing unnecessary friction on routine logins.

Learn more about the Frontegg Customer Identity platform

Looking to take your User Management to the next level?

Sign up. It's free