As more applications handle sensitive data, implementing multi-factor authentication (MFA) has become a key component of a robust security strategy. Amazon Cognito, a scalable authentication service in AWS, offers flexible MFA options to secure user accounts. While SMS-based MFA is common, using email as an MFA method is an effective alternative for scenarios where SMS may not be viable.
In this blog, we’ll explore how to enable email-based MFA with Amazon Cognito and its benefits.
What is Multi-Factor Authentication (MFA)?
MFA adds an extra layer of security to the traditional username-password login by requiring users to provide an additional verification method, like a one-time code sent to their device. This ensures that even if the password is compromised, the attacker cannot easily access the account.
Why Use Email for MFA?
SMS is often used for MFA, but it’s not always ideal:
- SMS costs can accumulate for businesses with large user bases.
- Network issues may prevent users from receiving SMS codes.
- Users may feel uncomfortable sharing their phone numbers.
Email-based MFA is a great alternative that leverages a user’s email address for sending one-time passcodes (OTP). It’s cost-effective, accessible, and user-friendly, as most users already have access to their email across devices.
Setting Up Email-Based MFA in Amazon Cognito
Step 1: Access Amazon Cognito
- Log in to AWS Management Console.
- Navigate to the Amazon Cognito service.
- Click on User Pools in the left-hand menu.
- In the top-right corner, click Create a user pool to start the setup process.
Step 2: Configure Sign-In Experience
- In the Configure sign-in experience section, select Cognito user pool as the authentication provider.
- For Sign-in options, choose Username and deselect any additional username requirements unless needed.
- Click Next.
Step 3: Configure Security Requirements
- In the Password policy section, use Cognito defaults for password strength or customize as per your preference.
- Under Multi-factor authentication (MFA), for MFA enforcement, choose Optional MFA (or Required MFA if you want all users to use MFA).
- Under MFA methods, select Email message to enable email-based MFA.
- For User account recovery, select Email only as the delivery method for recovery messages.
- Click Next to proceed.
Step 4: Configure Sign-Up Experience
- Ensure that enable self-registration is selected if you want to allow users to sign themselves up.
- Under Cognito-assisted verification and confirmation, ensure Send email message, verify email address is selected for identity verification.
- In Attributes to verify, confirm that Email is the chosen method.
- Under Required attributes, make sure that only Email is selected.
- Ensure Phone number is not selected as a required attribute since we’re using email for MFA.
- Click Next to continue.
Step 5: Configure Message Delivery
- In the Configure message delivery section, choose Send email with Cognito for testing purposes. This uses Cognito’s default email sender.
- Optionally, set up Amazon SES for better email delivery control.
- If SMS is required for other scenarios, create a new IAM role to allow Cognito to send SMS messages.
- Click Next.
Step 6: Integrate Your App
- Under User pool name, enter a unique name for your pool.
- Do not select the Cognito hosted UI unless you’re using Cognito’s built-in UI.
- For App client settings, ensure that App type is set to public client.
- Do not generate a client secret unless needed for certain secure apps.
- Enter a name for your App client.
- Under Advanced app client settings, add
ALLOW_USER_PASSWORD_AUTHto the authentication flow. - Click Next.
Step 7: Review and Create
- Review all your settings on the Review and create page.
- Make any necessary adjustments.
- Once everything is confirmed, click Create user pool.
Step 8: Set Up MFA in the User Pool
- After creating your user pool, navigate to the User pool overview.
- Click on the Sign-in experience tab.
- Under multi-factor authentication (MFA), click Edit.
- Ensure Optional MFA (or Required MFA) is selected and confirm that Email message is checked under MFA methods.
- Click Save changes.
Step 9: Configure App Client (Client ID)
- In the App integration tab of your user pool, locate the App clients and analytics section.
- Select your app client, and note down the Client ID. This will be required for application integration.
Step 10: Testing MFA
- Create a test user in your Cognito user pool.
- Sign in with the test user, and check for the email containing the OTP (one-time passcode) for MFA.
- Enter the OTP to complete the login process and verify that the email MFA setup is functioning correctly.
Lambda Trigger for MFA Customization
- You may need to set up an AWS Lambda function to trigger email-based MFA under custom conditions. For example, if you only want email MFA for users in certain regions or after a number of failed login attempts.
- Use the Pre-Signup or Pre-Authentication Lambda triggers to inject custom logic for sending OTPs.
Benefits of Using Amazon Cognito Email-Based MFA
- Cost-Effective: No SMS charges make this ideal for applications with a large user base.
- Convenient: Email is widely accessible, and users are generally more comfortable sharing their email addresses than their phone numbers.
- Scalable: Amazon Cognito handles the scaling and infrastructure for sending verification emails.
- Security: By adding email-based MFA, you protect users from password theft and unauthorized access, greatly reducing the risk of account compromise.
Conclusion
Incorporating email as an MFA option with Amazon Cognito is an easy-to-implement solution that improves security without sacrificing user convenience. Whether you’re looking to provide more options to your users or avoid the complexities of SMS-based MFA, this method provides a robust security solution.
By following the steps outlined above, you can quickly set up and roll out email-based MFA in your Amazon Cognito user pool, securing your application while ensuring a seamless user experience.
