Access token customization Email MFA Password reuse prevention Managed login Choice-based authentication

Essentials plan features

The Essentials feature plan has most of the best and latest features of Amazon Cognito user pools. When you switch from the Lite to the Essentials plan, you get new features for your managed login pages, multi-factor authentication with email-message one-time passwords, an enhanced password policy, and custom access tokens. To stay up-to-date with new user pool features, choose the Essentials plan for your user pools.

The sections that follows present a brief overview of the features that you can add to your application with the Essentials plan. For detailed information, see the following pages.

Additional resources

Access token customization: Pre token generation Lambda trigger
Email MFA: SMS and email message MFA
Password history: Passwords, account recovery, and password policies
Enhanced UI: Apply branding to managed login pages

Topics

Access token customization
Email MFA
Password reuse prevention
Managed login hosted sign-in and authorization server
Choice-based authentication

Access token customization

User pool access tokens grant permissions to applications: to access an API, to retrieve user attributes from the userInfo endpoint, or to establish group membership for an external system. In advanced scenarios, you might want to add to the default access-token data from the user pool directory with additional temporary parameters that your application determines at runtime. For example, you might want to verify a user's API permissions with Amazon Verified Permissions and adjust the scopes in the access token accordingly.

The Essentials plan adds to the existing functions of a pre token generation trigger. With lower-tier plans, you can customize ID tokens with additional claims, roles, and group membership. With Essentials, you can additionally customize access tokens with claims, roles, group membership, and OAuth scopes. Access token customization isn't available to machine-to-machine (M2M) client credentials grants.

To customize access tokens

Select the Essentials or Plus feature plan.
Create a Lambda function for your trigger. To use our example function, configure it for Node.js.
Populate your Lambda function with our example code or compose your own. You function must process a request object from Amazon Cognito and return the changes that you want to include.
Assign your new function as a version 2 pre token generation trigger.

Learn more

Email MFA

Amazon Cognito user pools can be configured to use email as the second factor in multi-factor authentication (MFA). With email MFA, Amazon Cognito can send users an email with a verification code that they must enter to complete the authentication process. This adds an important extra layer of security to the user login flow. To enable email-based MFA, the user pool must be configured to use the Amazon SES email-sending configuration instead of the default email configuration.

When your user selects MFA by email message, Amazon Cognito will send a one-time verification code to the user's registered email address whenever they attempt to sign in. The user must then provide this code back to your user pool to complete the authentication flow and gain access. This ensures that even if a user's username and password are compromised, they must provide an additional factor—the emailed code—before they can access your application resources.

For more information, see SMS and email message MFA. The following is an overview of how to set up your user pool and users for email MFA.

To set up email MFA in the Amazon Cognito console

Select the Essentials or Plus feature plan.
In the Sign-in menu of your user pool, edit Multi-factor authentication.
Choose the level of MFA enforcement that you want to set up. With Require MFA, users in the API automatically receive a challenge to set up, confirm, and sign in with MFA. In user pools that require MFA, managed login prompts them to choose and set up an MFA factor. With Optional MFA, your application must offer users the option to set up MFA and set the user's preference for email MFA.
Under MFA methods, select Email message as one of the options.

Learn more

SMS and email message MFA

Password reuse prevention

By default, a Amazon Cognito user pools password policy sets password length and character-type requirements, and temporary-password expiration. The Essentials plan adds the capability to enforce password history. When a user attempts to reset their password, your user pool can prevent them from setting it to a previous password. For more information about configuring the password policy, see Adding user pool password requirements. The following is an overview of how to set up your user pool with a password-history policy.

To set up password history in the Amazon Cognito console

Select the Essentials or Plus feature plan.
In the Authentication methods menu of your user pool, locate Password policy and select Edit.
Configure other available options and set a value for Prevent use of previous passwords.

Learn more

Passwords, account recovery, and password policies

Managed login hosted sign-in and authorization server

Amazon Cognito user pools have optional webpages that support the following functions: an OpenID Connect (OIDC) IdP, a service provider or relying party to third-party IdPs, and public user-interactive pages for sign-up and sign-in. These pages are collectively called managed login. When you choose a domain for your user pool, Amazon Cognito automatically activates these pages. Where the Lite plan has the hosted UI, the Essentials plan opens up this advanced version of sign-up and sign-in pages.

Managed login pages have a clean, up-to-date interface with more features and options for customizing your branding and styles. The Essentials plan is the lowest plan level that unlocks access to managed login.

To set up managed login in the Amazon Cognito console

From the Settings menu, select the Essentials or Plus feature plan.
From the Domain menu, Assign a domain to your user pool and select a Branding version of Managed login.
From the Managed login menu, under Styles tab, choose Create a style and assign the style to an app client, or create a new app client.

Learn more

User pool managed login

Choice-based authentication

The Essentials tier introduces a new authentication flow for authentication operations in the enhanced UI and SDK-based API operations.This flow is choice-based authentication. Choice-based authentication is a method where your users' authentication starts not with an application-side declaration of a sign-in method, but a query of possible sign-in methods followed by a choice. You can configure your user pool to support choice-based authentication and unlock username-password, passwordless, and passkey authentication. In the API, this is the USER_AUTH flow.

To set up choice-based authentication in the Amazon Cognito console

Select the Essentials or Plus feature plan.
In the Sign-in menu of your user pool, edit Options for choice-based sign-in. Select and configure the authentication methods you want to enable in choice-based authentication.
In the Authentication methods menu of your user pool, edit the configuration of sign-in operations.

Learn more

Authentication with Amazon Cognito user pools

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

User pool feature plans

Plus plan features