Adding adaptive MFA to your AWS Cognito login flow
Learn how to add adaptive MFA to your AWS Cognito login flow using Authsignal.
Adaptive MFA can be achieved by utilizing Authsignal’s rules engine. For example, you can create risk-based authentication flows so that MFA is only required when certain conditions are met e.g. if a user is authenticating on a new device. For more bespoke scenarios, you can also integrate with your business-specific data points.
This guide will cover how to modify your AWS Cognito integration code to use rules.
Prerequisites
This guide assumes you have an existing Authsignal + AWS Cognito integration. If you don’t, you can follow one of the following guides:
Adaptive MFA on login
A common use case for adaptive MFA is on login. For example, we might want to reduce user friction by not requiring MFA for users who are authenticating from a known device.
Authsignal rule set up
- Go to the Actions page and find the Cognito Auth action.
- Click on the Cognito Auth action go to the Rules tab.
- Click on the Create Rule button and create a new rule. For example, a new device rule
The Cognito Auth action will only appear if you have tested your existing Authsignal + AWS Cognito integration. If you don’t see it,
you can use the Configure a new action button to create it. Make sure to name it cognitoAuth
.
Define Auth Challenge lambda
In this case we assume the Define Auth Challenge lambda is implemented to require multiple authentication steps.
The "CUSTOM_CHALLENGE"
step is delegated to Authsignal.
Create Auth Challenge lambda
When tracking our action in the Create Auth Challenge lambda we can check the state
field in the response to see whether our rule has determined that a challenge is required for the action.
In addition to the url
for the pre-built UI, we will also pass this state
value along with a token
back to our app as public challenge parameters.
Make sure to include any additional data points required by the rule you set up on your Cognito Auth action.
The app code
Now we can adapt our app code to use the state
param to determine whether MFA is required.
Verify Auth Challenge Response lambda
Finally, we need to update our Verify Auth Challenge Response lambda to handle if the user is allowed to bypass MFA.
The only change here is to set event.response.answerCorrect
to true if the state
of the action is either "CHALLENGE_SUCCEEDED"
(because the user successfully completed an MFA step) or "ALLOW"
(because the user wasn’t required to complete MFA).