TL;DR: Risk-based MFA can be added to existing web apps without changing the origin, using encrypted cookies and three edge functions to preserve login state while inserting challenge decisions at CloudFront, according to Authsignal. The governance question is not whether MFA works, but where authentication control can be inserted without breaking application ownership and session handling.
NHIMG editorial — based on content published by Authsignal: How to add adaptive MFA and passkeys to any web app with Authsignal and Lambda@Edge
Questions worth separating out
Q: How should security teams add MFA to legacy apps without changing the origin?
A: Place the authentication decision at the front door, such as CloudFront or another reverse proxy layer, and preserve only the minimum state needed to complete the login flow.
Q: Why do edge-based authentication controls matter for IAM programmes?
A: They matter because many applications cannot be refactored quickly, yet the organisation still needs stronger sign-in assurance.
Q: What do teams get wrong about adding MFA to existing applications?
A: They often assume the application must own every step of authentication.
Practitioner guidance
- Map which apps can absorb edge-layer MFA Identify legacy, third-party, and source-locked applications where CloudFront or another front door can become the policy enforcement point without changing the origin application.
- Separate challenge state from application session state Encrypt usernames, challenge metadata, and session cookies before passing them between edge functions, and define a short-lived cleanup path for any temporary cookies.
- Test the full redirect and restore path under failure Validate what happens when the risk API times out, the callback token is missing, or the encrypted challenge cookie cannot be read, because broken restore logic becomes an auth outage.
What's in the full article
Authsignal's full blog post covers the operational detail this post intentionally leaves for the source:
- The complete Lambda@Edge implementation pattern, including the three function roles and how each one handles the login flow.
- The shared utility code for encryption, cookies, and HTTPS calls, which is useful if you need to reproduce the edge pattern safely.
- The CloudFormation and SAM deployment details, including versioning, origin policy choices, and CloudFront association settings.
- The testing and configuration steps for Authsignal rules, passkeys, OTP, and challenge policy behaviour.
👉 Read Authsignal’s guide to adding adaptive MFA and passkeys at the CloudFront edge →
Adaptive MFA at the edge: what IAM teams need to know?
Explore further
Authentication control is moving out of the app and into the delivery layer. This pattern reflects a broader shift in identity architecture: the application no longer has to own every step of authentication to enforce policy. That matters for legacy tools, third-party apps, and environments where source changes are slow or impossible. The real change is governance, because the control point becomes CloudFront state handling, not application code. Practitioners should treat the edge as an identity enforcement layer, not just a traffic layer.
A few things that frame the scale:
- The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities, according to The State of Secrets in AppSec.
- Only 44% of developers are reported to follow security best practices for secrets management, exposing a significant developer behaviour gap, according to The State of Secrets in AppSec.
A question worth separating out:
Q: Who should own risk-based MFA when the application does not change?
A: Ownership should sit with the team responsible for authentication policy, edge enforcement, and operational testing, not only with the application owner. If the origin never sees the MFA step, governance must cover who approves policy changes, who monitors failures, and who validates that challenge behaviour matches risk intent.
👉 Read our full editorial: Adaptive MFA at the CloudFront edge for legacy web apps