I am experimenting with AWS Amplify -and the whole AWS infrastructure- to figure out if it supports a specific workflow I need to implement for a client.
The idea is to have a user authenticate (using Cognito User Pools, not federated/openId logins) with email/password and only require a step-up with MFA when the user needs to access sensitive information or tooling (similar to how this Auth0 guide explains it).
In other words: I do not want to always require users to confirm their signin, right away after they signed in. Most sessions (where a user should be able to read/update data!) will not require this at all. Only some actions require the user to supply MFA verification for their account.
It is important to note that I need to be able to interact with (for example) DynamoDB in both situations (confirmed signin, unconfirmed signin) and other parts of AWS.
Is it possible to implement this? Perhaps using AWS Lambda?
As far as I know, this is not available as a configuration option on AWS amplify as of today.
The way I would implement it, is a Cognito Custom Authentication Flow. I did not test this set of high level instructions - bear with me if I missed something.
Scenario 1 : regular authentication : just leverage Amplify Auth and Cognito password based authentication.
Scenario 2 : at some point in the customer journey, your application needs a higher level of authentication.
At this stage, the client app would trigger a custom authentication flow. This involves switching authentication flow (as described here https://docs.amplify.aws/lib/auth/switch-auth/q/platform/js) and potentially having multiple flow in awsconfigure.json file
Once switched, your client app can trigger a second Auth flow (a custom one) as described here https://docs.amplify.aws/lib/auth/switch-auth/q/platform/js#custom_auth-flow
The custom auth would request the client app to provide a valid JWT token (the one you obtained from scenario 1) and the additional OTP. This would ensure, only correctly authenticated users can submit an OTP.
To implement that flow, you'll need an AWS Lambda function. The Lambda function will implement the various phases of the challenge negotiation and also verify the credentials provided (the JWT token and the OTP). The whole process is documented here https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-define-auth-challenge.html
Here is an example of a custom auth I implemented in Python and the corresponding client code in Swift https://gist.github.com/sebsto/6f5d9caf60c3db40ac245c1a9bb42b87
This does not exactly implements your use case, but it should be close enough to get started.