11

I'm using the AWS CLI to enable a MFA user pool with only TOTP MFA (no SMS).

aws cognito-idp set-user-pool-mfa-config --user-pool-id xxxx_xxxx --mfa-configuration OPTIONAL --software-token-mfa-configuration Enabled=true

{
    "SoftwareTokenMfaConfiguration": {
        "Enabled": true
    },
    "MfaConfiguration": "OPTIONAL"
}

Seems okay, right? But when I try to set up an user preference I keep getting this error:

An error occurred (InvalidParameterException) when calling the AdminSetUserMFAPreference operation: User has not set up software token mfa

Command: aws cognito-idp admin-set-user-mfa-preference --user-pool-id xxxx_xxxx --username [email protected] --software-token-mfa-settings Enabled=true

Tryin to use admin-set-user-preference also doesn't work: aws cognito-idp admin-set-user-settings --user-pool-id us-xxxx-xxxx--username [email protected] --mfa-option DeliveryMedium=EMAIL

An error occurred (InvalidParameterException) when calling the AdminSetUserSettings operation: Only phone_number attribute is currently supported as a MFA option.

What am I missing? Does it need an extra configuration not mentioned anywhere in documentation?

Solution:

First you need to get the ACCESS_TOKEN for the user and proceed to start the TOTP process:

aws cognito-idp associate-software-token --access-token ACCESS_TOKEN

(this will generate a unique code that you could use in Google Authenticator)

With the TOTP code retrieved from the Authenticator app run:

aws cognito-idp verify-software-token --access-token ACCESS_TOKEN --user-code USER_CODE

With the successfull message from the previous command you can change the user preference:

aws cognito-idp admin-set-user-mfa-preference --user-pool-id xxxxx --username xxxxxxx --software-token-mfa-settings Enabled=True,PreferredMfa=True

Improve this question
5
  • I'm stuck on this too; any updates? Commented Aug 20, 2020 at 12:35
  • 1
    Hi @NitsanAvni I've updated the original question with the solution Commented Aug 21, 2020 at 13:17
  • great stuff! thanks a lot Commented Aug 21, 2020 at 19:10
  • 1
    I'm just trying to disable the MFA for a specific user, why do i need to set up the TOTP? Commented Jan 11, 2022 at 18:33
  • @LucianoJr can you create an answer and past your solution in there and accept your answer to mark this question answered Commented May 31, 2022 at 19:09

2 Answers 2

Reset to default
4

Solution:

First you need to get the ACCESS_TOKEN for the user and proceed to start the TOTP process:

aws cognito-idp associate-software-token --access-token ACCESS_TOKEN

(this will generate a unique code that you could use in Google Authenticator)

With the TOTP code retrieved from the Authenticator app run:

aws cognito-idp verify-software-token --access-token ACCESS_TOKEN --user-code USER_CODE

With the successfull message from the previous command you can change the user preference:

aws cognito-idp admin-set-user-mfa-preference --user-pool-id xxxxx --username xxxxxxx --software-token-mfa-settings Enabled=True,PreferredMfa=True

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

To setup the TOTP for user you have to call the AWS Cognito APIs in the following order

  1. Associate Software Token
  2. Verify Software Token
  3. Set User MFA Preference

The associate software token will give you an SecretCode which you will convert to a QR either so that user can scan it with an authenticator app. Then you will call the verify software token and pass it the code generated by the authenticator app. And finally you will enable the MFA by calling the set user preference API. And voila.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.