feat(Auth): Update docs to reflect email MFA support (#8465)

osama-rizk · web-flow · commit c7807f4eb4e9 · 2025-11-11T10:03:02.000+01:00
* feat(Auth): Update docs to reflect email MFA support

* Fix MDX syntax error

* Update email MFA callout
diff --git a/src/pages/[platform]/build-a-backend/auth/concepts/multi-factor-authentication/index.mdx b/src/pages/[platform]/build-a-backend/auth/concepts/multi-factor-authentication/index.mdx
@@ -49,6 +49,13 @@ export const auth = defineAuth({
   multifactor: {
     mode: 'OPTIONAL',
     totp: true,
+    email: true,
+  },
+  senders: {
+    email: {
+      fromEmail: 'noreply@example.com',
+      fromName: 'My App',
+    },
   },
 // highlight-end
   userAttributes: {
@@ -59,11 +66,7 @@ export const auth = defineAuth({
 });
 ```
 
-<Callout info>
-**Note:** Email-based MFA is currently not supported with `defineAuth`. We are working towards supporting this feature. For more information, visit the [feature request in GitHub](https://github.com/aws-amplify/amplify-backend/issues/2159).
 
-To take advantage of this feature with an Amplify generated backend, the underlying CDK construct can be extended manually. See [overriding Cognito User Pool multi-factor authentication options](/[platform]/build-a-backend/auth/modify-resources-with-cdk/#override-cognito-userpool-multi-factor-authentication-options) for more information.
-</Callout>
 
 When MFA is `REQUIRED` with SMS in your backend auth resource, you will need to pass the phone number during sign-up API call. If you are using the `email` or `username` as the primary sign-in mechanism, you will need to pass the `phone_number` attribute as a user attribute. 
 
@@ -856,12 +859,36 @@ If a user loses access to their TOTP device, they will need to contact an admini
 In a scenario where MFA is marked as "Required" in the Cognito User Pool and another MFA method is not set up, the administrator would need to first initiate an [`AdminUpdateUserAttributes`](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminUpdateUserAttributes.html) call and update the user's phone number attribute. Once this is complete, the administrator can continue changing the MFA preference to SMS as suggested above.
 
 ## Multi-factor authentication with EMAIL
-<InlineFilter filters={["react"]}>
-<Callout info>
-**Note:** Email-based MFA is currently not supported in the [Authenticator component](https://ui.docs.amplify.aws/react/connected-components/authenticator). We are working towards supporting this feature. For more information, visit the [feature request in GitHub](https://github.com/aws-amplify/amplify-ui/issues/5983).
+To enable email MFA, set `email: true` in your multifactor configuration and configure an email sender.
 
+<Callout warning>
+To permit users to sign in with email MFA, your user pool must have the following configuration options:
+
+- You have the Plus or Essentials feature plan in your user pool.
+- Your user pool sends email messages with your own Amazon SES resources.
+
+For more details, see [Amazon Cognito email MFA configuration](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-mfa-sms-email-message.html).
 </Callout>
-</InlineFilter>
+
+```ts title="amplify/auth/resource.ts"
+import { defineAuth } from '@aws-amplify/backend';
+
+export const auth = defineAuth({
+  loginWith: {
+    email: true
+  },
+  multifactor: {
+    mode: 'OPTIONAL',
+    email: true,
+  },
+  senders: {
+    email: {
+      fromEmail: 'noreply@example.com',
+      fromName: 'My App',
+    },
+  },
+});
+```
 
 <InlineFilter filters={["swift"]}>
 <Callout info>
diff --git a/src/pages/[platform]/build-a-backend/auth/modify-resources-with-cdk/index.mdx b/src/pages/[platform]/build-a-backend/auth/modify-resources-with-cdk/index.mdx
@@ -57,69 +57,13 @@ cfnUserPool.policies = {
 };
 ```
 
-## Override Cognito UserPool multi-factor authentication options
-
-While Email MFA is not yet supported with `defineAuth`, this feature can be enabled by modifying the underlying CDK construct.
-
-Start by ensuring your `defineAuth` resource configuration includes a compatible account recovery option and a custom SES sender.
-
-```ts title="amplify/auth/resource.ts"
-import { defineAuth } from "@aws-amplify/backend"
-
-/**
- * Define and configure your auth resource
- * @see https://docs.amplify.aws/gen2/build-a-backend/auth
- */
-export const auth = defineAuth({
-  loginWith: {
-    email: true,
-    phone: true,
-  },
-  multifactor: {
-    mode: "OPTIONAL",
-    sms: true,
-    totp: false,
-  },
-  // Important! The logic to resolve this value cannot determine whether email mfa is enabled when overriding the resource. 
-  // Be sure to pick a recovery option appropriate for your application.
-  accountRecovery: "EMAIL_AND_PHONE_WITHOUT_MFA",
-  senders: {
-    email: {
-      fromEmail: "registrations@example.com",
-    },
-  },
-})
-```
-
-Next, extend the underlying CDK construct by activating [Amazon Cognito's Advanced Security Features (ASF)](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-advanced-security.html) and add `EMAIL_OTP` to the enabled MFA options.
-
-```ts title="amplify/backend.ts"
-import { defineBackend } from "@aws-amplify/backend"
-import { auth } from "./auth/resource"
-
-const backend = defineBackend({
-  auth,
-})
-
-const { cfnUserPool } = backend.auth.resources.cfnResources
-
-// enable ASF
-cfnUserPool.userPoolAddOns = {
-  advancedSecurityMode: "AUDIT",
-}
-
-// add email mfa
-// https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpool.html#cfn-cognito-userpool-enabledmfas
-cfnUserPool.enabledMfas = [...(cfnUserPool.enabledMfas || []), "EMAIL_OTP"]
-```
-
 {/* token validity */}
 {/* BYO custom idp construct */}
 {/* extend auth/unauth roles */}
 
 <InlineFilter filters={["android","angular", "javascript", "nextjs", "react", "react-native", "swift", "vue"]}>
 
-### Override Cognito UserPool to enable passwordless sign-in methods
+## Override Cognito UserPool to enable passwordless sign-in methods
 
 You can modify the underlying Cognito user pool resource to enable sign in with passwordless methods. [Learn more about passwordless sign-in methods](/[platform]/build-a-backend/auth/concepts/passwordless/). 
 
diff --git a/src/pages/[platform]/deploy-and-host/sandbox-environments/seed/index.mdx b/src/pages/[platform]/deploy-and-host/sandbox-environments/seed/index.mdx
@@ -305,13 +305,6 @@ npx ampx sandbox seed
 ```
 
 SMS MFA follows the same pattern as Email MFA, using command line prompts for verification. Just replace `mfaPreference: "EMAIL"` with `mfaPreference: "SMS"` in your configuration. The command line experience will be identical, prompting for the SMS code instead of the email code.
-
-<Callout info>
-**Note:** Email-based MFA is currently not supported with `defineAuth`. We are working towards supporting this feature. For more information, visit the [feature request in GitHub](https://github.com/aws-amplify/amplify-backend/issues/2159).
-
-To take advantage of this feature with an Amplify generated backend, the underlying CDK construct can be extended manually. See [overriding Cognito User Pool multi-factor authentication options](/[platform]/build-a-backend/auth/modify-resources-with-cdk/#override-cognito-userpool-multi-factor-authentication-options) for more information.
-</Callout>
-
 ### Data
 
 For example, if you like to seed your Data API, lets start by creating a GraphQL API with a `Todo` model with authorization mode set to `userPool`:
