aws-amplify/ui-react: force TOTP setup dialog for existing user on signIn

I’ve run into similar scenarios, so here’s what I’ve gathered.

Amplify by default treats MFA as optional, and you can’t globally force all existing users to set up TOTP before authentication in one simple call. The typical flow is users sign in, then if MFA is enabled but not set up, Amplify prompts for TOTP setup in the nextStep.

To force TOTP setup on next sign-in (before full access), you need to manage this server-side:

1. Update the user's MFA settings in Cognito to require TOTP. Use the Admin API (AdminSetUserMFAPreference or AdminUpdateUserAttributes) to mark MFA as required for that specific user.
2. Mark MFA as required for the user pool or specific users in Cognito’s settings. But keep in mind this applies to future sign-ins, and AWS Cognito doesn’t trigger TOTP setup before the initial authentication step, it requires the user to be authenticated first.
3. Custom challenge Lambda triggers. For stricter enforcement, some implement custom auth flows or pre-auth Lambdas that check user attributes (like a flag mfaSetupComplete) and deny token issuance until TOTP is configured. This means your backend can reject tokens until the user finishes TOTP setup.
4. On the frontend, when you detect a user’s MFA is required but not set up, you can explicitly call Auth.setupTOTP(user) and show the setup dialog before allowing access.

Unfortunately, there isn’t a built-in Amplify UI flow that forces the TOTP setup before authentication completes. The key is combining Cognito user pool settings and your backend’s token validation logic to block access until MFA is fully set up. If you want, I can share some code snippets or Lambda trigger examples that helped me enforce this stricter flow.