What MFA options does Cognito support?

Cognito supports SMS-based MFA, TOTP (time-based one-time password) via authenticator apps, and email-based MFA. You can set MFA to optional (users choose whether to enable it), required (all users must enroll), or off. Adaptive authentication can automatically require MFA when Cognito detects a risk signal like a new device or location. TOTP is generally recommended over SMS because it is not susceptible to SIM-swapping attacks.

How do Lambda triggers customize the authentication flow?

Lambda triggers fire at specific points in the authentication lifecycle: pre-sign-up (validate or auto-confirm users), pre-authentication (custom validation before sign-in), post-authentication (logging or analytics), custom message (personalize verification emails/SMS), define/create/verify auth challenge (build completely custom authentication flows), and pre-token-generation (add custom claims to JWT tokens). Each trigger receives a specific event payload and must return an expected response format.

Can I migrate existing users to a Cognito User Pool?

Yes. Cognito supports a user migration Lambda trigger that fires when a user who does not exist in the pool attempts to sign in. The trigger can verify the user against your legacy system and, if valid, create them in Cognito transparently. You can also use the AdminCreateUser API for bulk imports. Passwords cannot be migrated directly due to hashing, so the migration trigger approach lets users keep their existing passwords by verifying them against the old system on first login.

Cognito User Pool Builder

IAM & SecurityAWS

Build Cognito user pool configurations with MFA, password policies, and Lambda triggers.

Last verified: May 2026

Cognito Configuration

Build Cognito user pool configs with auth flows, MFA, password policies, and Lambda triggers.

Required Fields

PoolNamePolicies.PasswordPolicy.MinimumLengthSchema

{
  "PoolName": "my-app-user-pool",
  "AutoVerifiedAttributes": ["email"],
  "UsernameAttributes": ["email"],
  "MfaConfiguration": "OPTIONAL",
  "Policies": {
    "PasswordPolicy": {
      "MinimumLength": 12,
      "RequireUppercase": true,
      "RequireLowercase": true,
      "RequireNumbers": true,
      "RequireSymbols": true,
      "TemporaryPasswordValidityDays": 7
    }
  },
  "Schema": [
    {
      "Name": "email",
      "AttributeDataType": "String",
      "Required": true,
      "Mutable": true
    },
    {
      "Name": "name",
      "AttributeDataType": "String",
      "Required": true,
      "Mutable": true
    },
    {
      "Name": "tenant_id",
      "AttributeDataType": "String",
      "Required": false,
      "Mutable": false
    }
  ],
  "LambdaConfig": {
    "PreSignUp": "arn:aws:lambda:us-east-1:123456789012:function:pre-signup-validator",
    "PostConfirmation": "arn:aws:lambda:us-east-1:123456789012:function:post-confirm-handler",
    "PreTokenGeneration": "arn:aws:lambda:us-east-1:123456789012:function:add-custom-claims"
  },
  "AccountRecoverySetting": {
    "RecoveryMechanisms": [
      {
        "Priority": 1,
        "Name": "verified_email"
      }
    ]
  },
  "UserPoolAddOns": {
    "AdvancedSecurityMode": "ENFORCED"
  }
}

Generated Output

Output will appear here...

About This Tool

Amazon Cognito User Pools provide a fully managed identity provider for web and mobile applications, handling user sign-up, sign-in, MFA, and token management. Configuration involves dozens of interrelated settings — password policies, MFA options, attribute schemas, Lambda triggers for custom workflows, and app client settings with OAuth scopes. The Cognito User Pool Builder walks you through these options and generates the complete configuration JSON, reducing the risk of misconfigurations that can lock users out or weaken authentication security.

Real-World Scenario

Your team is replacing a custom-built auth system with Cognito. The legacy DB has 50K users with bcrypt-hashed passwords. The builder generates a Cognito User Pool config + a User Migration Lambda trigger that validates old credentials against your legacy DB. Users sign in normally; the trigger transparently migrates them on first login. No mass password reset, no UX disruption. After 90 days, ~95% of active users have migrated; the remaining 5% are dormant accounts that get a forced reset email.

When to Use This Tool

•Configuring a user pool with adaptive MFA, custom password requirements, and email verification for a production application
•Setting up Lambda triggers for pre-sign-up validation, custom messages, and post-authentication analytics
•Defining custom attribute schemas and app client settings with the correct OAuth flows and scopes
•Generating CloudFormation or Terraform configurations for reproducible Cognito deployments

Pro Tips

TIP

Always enable adaptive authentication for production Cognito user pools. It analyzes login patterns (device, location, attempt frequency) and steps up to MFA when risk is detected. Standard MFA (always-required) creates user friction; adaptive applies it only when needed — better UX with the same security.

TIP

TOTP is the right MFA default in 2026. SMS-based MFA is vulnerable to SIM swap attacks (used in the Twitter/Coinbase breaches). For B2B and security-sensitive apps, REQUIRE TOTP. SMS is acceptable for low-risk consumer apps but should be removed as soon as users adopt TOTP.

TIP

User Migration Lambda triggers are gold for migrating from legacy auth systems. Without them, you'd need to force every user to reset their password during migration. With them, users seamlessly transition on next login while you validate their old credentials behind the scenes — zero user-visible disruption.

How It Works Under the Hood

The builder generates Cognito User Pool configurations across multiple sections: password policy (length, character requirements), MFA settings (TOTP, SMS, adaptive), schema (standard + custom attributes), Lambda triggers (pre-sign-up, custom messages, etc.), app client settings (OAuth flows, token validity, allowed scopes), and identity providers (social, SAML, OIDC federation). Output is generated as aws cognito-idp create-user-pool commands and Terraform aws_cognito_user_pool resources.

Frequently Asked Questions

What MFA options does Cognito support?: Cognito supports SMS-based MFA, TOTP (time-based one-time password) via authenticator apps, and email-based MFA. You can set MFA to optional (users choose whether to enable it), required (all users must enroll), or off. Adaptive authentication can automatically require MFA when Cognito detects a risk signal like a new device or location. TOTP is generally recommended over SMS because it is not susceptible to SIM-swapping attacks.
How do Lambda triggers customize the authentication flow?: Lambda triggers fire at specific points in the authentication lifecycle: pre-sign-up (validate or auto-confirm users), pre-authentication (custom validation before sign-in), post-authentication (logging or analytics), custom message (personalize verification emails/SMS), define/create/verify auth challenge (build completely custom authentication flows), and pre-token-generation (add custom claims to JWT tokens). Each trigger receives a specific event payload and must return an expected response format.
Can I migrate existing users to a Cognito User Pool?: Yes. Cognito supports a user migration Lambda trigger that fires when a user who does not exist in the pool attempts to sign in. The trigger can verify the user against your legacy system and, if valid, create them in Cognito transparently. You can also use the AdminCreateUser API for bulk imports. Passwords cannot be migrated directly due to hashing, so the migration trigger approach lets users keep their existing passwords by verifying them against the old system on first login.

Related Learning Guides

AWS IAM Best Practices25 min read

Was this tool helpful?

Disclaimer: This tool runs entirely in your browser. No data is sent to our servers. Always verify outputs before using them in production. AWS, Azure, and GCP are trademarks of their respective owners.