Cognito set user MFA required when using TOTP only

3

Good day

Cognito can enforce MFA across the whole pool, which enforces the MFA setup auth flow, even for users that hasn't set up TOTP yet. However, when making the pool MFA optional then setting TOTP MFA required on a user fails with the error: User does not have delivery config set to turn on SOFTWARE_TOKEN_MFA

However, as mentioned, when enforcing MFA globally this is not an issue.

How then can one force MFA auth flow when using TOTP only on a per-user basis?

What we've discovered thus far, when explicitly calling associateSoftwareToken after a login (without MFA), one can set a user to REQUIRED with SOFTWARE_TOKEN_MFA, however the auth flow is still not enforced and there is no way with the API to discover whether the MFA is functional.

We have the requirement to have per-user MFA requirements.

We believe this is in fact a bug. Currently we are forced to either manually implement MFA in our app itself, or force MFA globally for all users.

3 Answers
1

Is there any update on this thread? When MFA is set to optional for the User Pool then when I try to turn on Software Authenticator access for a user I get the "User does not have delivery config set to turn on SOFTWARE_TOKEN_MFA" error.

Mark
answered 2 years ago
1

Anyone found a solution for this? We've been dealing with the exact same issue and the docs don't provide any information on this.

symag
answered 2 years ago
0

Hi,

The code samples from the Amplify documentation for MFA might help with setting up TOTP for a user. The same can be accomplished using the cognito library api calls as well.

AWS
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions