Cognito set user MFA required when using TOTP only

Question

Good day

Cognito can enforce MFA across the whole pool, which enforces the MFA setup auth flow, even for users that hasn't set up TOTP yet. However, when making the pool MFA optional then setting TOTP MFA required on a user fails with the error: *User does not have delivery config set to turn on SOFTWARE_TOKEN_MFA*

However, as mentioned, when enforcing MFA globally this is not an issue.

How then can one force MFA auth flow when using TOTP only on a per-user basis?

What we've discovered thus far, when explicitly calling associateSoftwareToken after a login (without MFA), one can set a user to REQUIRED with SOFTWARE_TOKEN_MFA, however the auth flow is still not enforced and there is no way with the API to discover whether the MFA is functional.

We have the requirement to have per-user MFA requirements.

We believe this is in fact a bug. Currently we are forced to either manually implement MFA in our app itself, or force MFA globally for all users.

Answer

Is there any update on this thread?  When MFA is set to optional for the User Pool then when I try to turn on Software Authenticator access for a user I get the "User does not have delivery config set to turn on SOFTWARE_TOKEN_MFA" error.

Answer

Anyone found a solution for this? We've been dealing with the exact same issue and the docs don't provide any information on this.

Answer

Hi,

The code samples from the Amplify [documentation](https://docs.amplify.aws/lib/auth/mfa/q/platform/js/#setup-totp) for MFA might help with setting up TOTP for a user. The same can be accomplished using the cognito [library](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AssociateSoftwareToken.html) api calls as well.

Cognito set user MFA required when using TOTP only

Conteúdo relevante