Force MFA only for restricted content

Hi,

We are migrating our users to AWS Cognito user pools and trying to keep existing web/mobile UX.

Users to be able to sign in and use our web/mobile app with their username and password. But whenever user tries to access a sensitive content, user should be verified with an SMS challenge. I think, best place to keep MFA verification result would be ID Token. A claim for the MFA verification result like amr: mfa etc..

I couldn't find any out of the box solution for this case. According to my research, MFA can only be enabled or disabled for a user.

I would appreciate if you can share your ideas.

Not sure how to accomplish but when user tries to access sensitive content, maybe:

1- Custom auth flow could be initiated. We have to avoid asking credentials again. If possible, I can use existing access/refresh token to initiate the flow without asking credentials again. This custom flow will work as OOB MFA authentication flow. But specific to this flow, pre token generation lambda trigger can build new ID token with MFA claim.

2- Prepare rest endpoints or lambda functions for sending the SMS code and verifying the code. If code is verified, use refresh token to get new tokens. TokenGeneration_RefreshTokens will trigger Pre token generation Lambda trigger. Lambda trigger should be able decide to include MFA claim in the ID token.

3- Like number 2 but instead of Pre token generation Lambda trigger, update the ID token somewhere else and add MFA claim if SMS code verification is success.

4- If Cognito has a functionality to prepare policies to force MFA for specific cases.

Edit:

5- I found a Cognito Step Up Authentication sample https://github.com/aws-samples/step-up-auth

Thanks