⌘K
v2026.1 Open Portal ↗
On this page

Multi-Factor Authentication

MFA Methods

StackFlow supports Time-based One-Time Password (TOTP) and SMS-based MFA through Amazon Cognito. TOTP is the recommended method for security-sensitive accounts as it does not rely on cellular carrier infrastructure and is not susceptible to SIM-swapping attacks.

⚙️ Minimum Requirements
  • Cognito MFA: TOTP MFA enabled on pool us-east-1_WKK1AVJ2m (set via set-user-pool-mfa-config)
  • Role Enforcement Config: StackFlow_SystemProperty record mfa.required_roles listing roles that require MFA
  • SNS: SMS MFA requires an SNS SMS sandbox exit or production SMS sending enabled for the region
  • Pre-Token Lambda: StackFlowCognitoPreToken must check and enforce MFA claim before issuing tokens
MethodRecommendationSetup
TOTP (Authenticator App)Recommended for all usersGoogle Authenticator, Authy, 1Password
SMS OTPAcceptable for non-admin usersVerified phone number required
Hardware FIDO2/WebAuthnComing in v2026.2YubiKey, macOS Touch ID

Enabling MFA for Users

Users can self-enroll MFA from their profile settings. Navigate to My Profile → Security → Enable MFA. A QR code is displayed for TOTP setup using any authenticator application. The user must confirm with a valid OTP before MFA is fully activated.

# Enable TOTP MFA for a user via AWS CLI
aws cognito-idp admin-set-user-mfa-preference   --user-pool-id us-east-1_WKK1AVJ2m   --username user@example.com   --software-token-mfa-settings Enabled=true,PreferredMfa=true   --region us-east-1

Enforcing MFA by Role

StackFlow supports role-based MFA enforcement via Cognito's advanced security features. When a user with an MFA-required role logs in without MFA configured, they are redirected to the MFA setup flow before accessing any StackFlow functionality.

{
  "mfa_enforcement": {
    "required_roles": ["super_admin", "itsm_manager", "cloud_admin", "security_admin"],
    "optional_roles": ["itsm_agent", "viewer", "developer"],
    "grace_period_days": 7,
    "enforcement_action": "redirect_to_setup"
  }
}
Important: The 7-day grace period is intended for new account onboarding only. Do not increase this value for administrator roles. A compromised admin account without MFA can result in full tenant compromise.

Recovery Codes

When users enroll in TOTP MFA, StackFlow generates 10 single-use recovery codes. These codes allow access when the primary MFA device is unavailable. Recovery codes are displayed once at enrollment and must be stored securely. Users can regenerate recovery codes from their profile settings, which invalidates all previous codes.

Admin Override

Administrators can temporarily disable MFA for a user account in emergency situations (e.g., lost MFA device). This action is logged to CloudTrail with the administrator's identity and requires a business justification comment. MFA is automatically re-enabled after 24 hours.

# Temporarily disable MFA (use with caution)
aws cognito-idp admin-set-user-mfa-preference   --user-pool-id us-east-1_WKK1AVJ2m   --username user@example.com   --software-token-mfa-settings Enabled=false,PreferredMfa=false   --region us-east-1

# This action generates a CloudTrail event — always document the business reason
← Previous
LDAP Integration
Directory service connectivity
User Management
Users, roles, and permissions