What MFA options does Cognito support?

Cognito supports SMS-based MFA, TOTP (time-based one-time password) via authenticator apps, and email-based MFA. You can set MFA to optional (users choose whether to enable it), required (all users must enroll), or off. Adaptive authentication can automatically require MFA when Cognito detects a risk signal like a new device or location. TOTP is generally recommended over SMS because it is not susceptible to SIM-swapping attacks.

How do Lambda triggers customize the authentication flow?

Lambda triggers fire at specific points in the authentication lifecycle: pre-sign-up (validate or auto-confirm users), pre-authentication (custom validation before sign-in), post-authentication (logging or analytics), custom message (personalize verification emails/SMS), define/create/verify auth challenge (build completely custom authentication flows), and pre-token-generation (add custom claims to JWT tokens). Each trigger receives a specific event payload and must return an expected response format.

Can I migrate existing users to a Cognito User Pool?

Yes. Cognito supports a user migration Lambda trigger that fires when a user who does not exist in the pool attempts to sign in. The trigger can verify the user against your legacy system and, if valid, create them in Cognito transparently. You can also use the AdminCreateUser API for bulk imports. Passwords cannot be migrated directly due to hashing, so the migration trigger approach lets users keep their existing passwords by verifying them against the old system on first login.

Cognito User Pool Builder

IAM & SecurityAWS

Build Cognito user pool configurations with MFA, password policies, and Lambda triggers.

Cognito Configuration

Build Cognito user pool configs with auth flows, MFA, password policies, and Lambda triggers.

Required Fields

PoolNamePolicies.PasswordPolicy.MinimumLengthSchema

{
  "PoolName": "my-app-user-pool",
  "AutoVerifiedAttributes": ["email"],
  "UsernameAttributes": ["email"],
  "MfaConfiguration": "OPTIONAL",
  "Policies": {
    "PasswordPolicy": {
      "MinimumLength": 12,
      "RequireUppercase": true,
      "RequireLowercase": true,
      "RequireNumbers": true,
      "RequireSymbols": true,
      "TemporaryPasswordValidityDays": 7
    }
  },
  "Schema": [
    {
      "Name": "email",
      "AttributeDataType": "String",
      "Required": true,
      "Mutable": true
    },
    {
      "Name": "name",
      "AttributeDataType": "String",
      "Required": true,
      "Mutable": true
    },
    {
      "Name": "tenant_id",
      "AttributeDataType": "String",
      "Required": false,
      "Mutable": false
    }
  ],
  "LambdaConfig": {
    "PreSignUp": "arn:aws:lambda:us-east-1:123456789012:function:pre-signup-validator",
    "PostConfirmation": "arn:aws:lambda:us-east-1:123456789012:function:post-confirm-handler",
    "PreTokenGeneration": "arn:aws:lambda:us-east-1:123456789012:function:add-custom-claims"
  },
  "AccountRecoverySetting": {
    "RecoveryMechanisms": [
      {
        "Priority": 1,
        "Name": "verified_email"
      }
    ]
  },
  "UserPoolAddOns": {
    "AdvancedSecurityMode": "ENFORCED"
  }
}

Generated Output

Output will appear here...

About This Tool

Amazon Cognito User Pools provide a fully managed identity provider for web and mobile applications, handling user sign-up, sign-in, MFA, and token management. Configuration involves dozens of interrelated settings — password policies, MFA options, attribute schemas, Lambda triggers for custom workflows, and app client settings with OAuth scopes. The Cognito User Pool Builder walks you through these options and generates the complete configuration JSON, reducing the risk of misconfigurations that can lock users out or weaken authentication security.

When to Use This Tool

•Configuring a user pool with adaptive MFA, custom password requirements, and email verification for a production application
•Setting up Lambda triggers for pre-sign-up validation, custom messages, and post-authentication analytics
•Defining custom attribute schemas and app client settings with the correct OAuth flows and scopes
•Generating CloudFormation or Terraform configurations for reproducible Cognito deployments

Frequently Asked Questions

What MFA options does Cognito support?: Cognito supports SMS-based MFA, TOTP (time-based one-time password) via authenticator apps, and email-based MFA. You can set MFA to optional (users choose whether to enable it), required (all users must enroll), or off. Adaptive authentication can automatically require MFA when Cognito detects a risk signal like a new device or location. TOTP is generally recommended over SMS because it is not susceptible to SIM-swapping attacks.
How do Lambda triggers customize the authentication flow?: Lambda triggers fire at specific points in the authentication lifecycle: pre-sign-up (validate or auto-confirm users), pre-authentication (custom validation before sign-in), post-authentication (logging or analytics), custom message (personalize verification emails/SMS), define/create/verify auth challenge (build completely custom authentication flows), and pre-token-generation (add custom claims to JWT tokens). Each trigger receives a specific event payload and must return an expected response format.
Can I migrate existing users to a Cognito User Pool?: Yes. Cognito supports a user migration Lambda trigger that fires when a user who does not exist in the pool attempts to sign in. The trigger can verify the user against your legacy system and, if valid, create them in Cognito transparently. You can also use the AdminCreateUser API for bulk imports. Passwords cannot be migrated directly due to hashing, so the migration trigger approach lets users keep their existing passwords by verifying them against the old system on first login.

Related Learning Guides

AWS IAM Best Practices25 min read

Disclaimer: This tool runs entirely in your browser. No data is sent to our servers. Always verify outputs before using them in production. AWS, Azure, and GCP are trademarks of their respective owners.