AWS cognito high security documentation change
Summary
Added 'Best practices' section with security recommendations against SMS-based MFA, warnings about SMS delivery challenges, and links to fraud/SMS pumping prevention resources
Security assessment
Explicitly discourages SMS for MFA due to security risks (phone number ownership changes), adds guidance about SMS pumping fraud prevention, and references AWS security blogs about mitigating SMS vulnerabilities
Diff
diff --git a/cognito/latest/developerguide/user-pool-sms-settings.md b/cognito/latest/developerguide/user-pool-sms-settings.md index 7989b1882..047763e50 100644 --- a//cognito/latest/developerguide/user-pool-sms-settings.md +++ b//cognito/latest/developerguide/user-pool-sms-settings.md @@ -5 +5 @@ -Setting up SMS messaging for the first time in Amazon Cognito user pools +Best practicesSetting up SMS messaging for the first time in Amazon Cognito user pools @@ -15,6 +14,0 @@ Amazon SNS charges for SMS text messages. For more information, see [Amazon SNS -###### Note - -Because of the volume of unsolicited SMS traffic worldwide, some governments impose barriers between the senders and recipients of SMS messages. When you use SMS messages for MFA and user updates, you must take additional steps to ensure that your messages are delivered. You must also monitor SMS-message-related regulations in countries where your users might live and keep your SMS message configuration current. For more information, see [Mobile text messaging (SMS)](https://docs.aws.amazon.com/sns/latest/dg/sns-mobile-phone-number-as-subscriber.html) in the Amazon Simple Notification Service Developer Guide. - -The use of SMS messages to authenticate and verify users isn't a security best practice. Phone numbers can change owners, and might not reliably represent a _something you have_ factor of MFA for your users. Instead, implement TOTP MFA in your app or with your third-party IdP. You can also create additional custom authentication factors with [Custom authentication challenge Lambda triggers](./user-pool-lambda-challenge.html). - @@ -40,0 +35,15 @@ Amazon Cognito might prevent delivery of additional email or SMS messages to a s +## Best practices + +Because of the volume of unsolicited SMS traffic worldwide, some governments impose barriers between the senders and recipients of SMS messages. When you use SMS messages for MFA and user updates, you must take additional steps to ensure that your messages are delivered. You must also monitor SMS-message-related regulations in countries where your users might live and keep your SMS message configuration current. For more information, see [Mobile text messaging (SMS)](https://docs.aws.amazon.com/sns/latest/dg/sns-mobile-phone-number-as-subscriber.html) in the Amazon Simple Notification Service Developer Guide. + +The use of SMS messages to authenticate and verify users isn't a security best practice. Phone numbers can change owners, and might not reliably represent a _something you have_ factor of MFA for your users. Instead, implement TOTP MFA in your app or with your third-party IdP. You can also create additional custom authentication factors with [Custom authentication challenge Lambda triggers](./user-pool-lambda-challenge.html). + +Review the following links for information about securing your SMS message delivery architecture. + + * [Reduce risks of user sign-up fraud and SMS pumping with Amazon Cognito user pools](https://aws.amazon.com/blogs/security/reduce-risks-of-user-sign-up-fraud-and-sms-pumping-with-amazon-cognito-user-pools/) + + * [Defending Against SMS Pumping: New AWS Features to Help Combat Artificially Inflated Traffic](https://aws.amazon.com/blogs/messaging-and-targeting/defending-against-sms-pumping-new-aws-features-to-help-combat-artificially-inflated-traffic/) + + + +