Cognito TOTP MFA issue

0

Hello,

I am trying to integrate AWS Cognito to my Java application and I am facing some issues with TOTP MFA. More specific:

AWS Java SDK version
1.11.755

Cognito configuration
1. Users sign in using email address
2. Sign up is only allowed by administrators
3. MFA is optional and only TOTP is supported
4. An application client is created without secret, which only supports ALLOW_ADMIN_USER_PASSWORD_AUTH authentication flow

Process
1. I create a user using the adminCreateUser function
2. I try to login using the adminInitiateAuth function. The first time I login when MFA is not yet enabled, I get the relevant tokens successfully, without having to respond to an authentication challenge (i.e. SOFTWARE_TOKEN_MFA )
3. I enable the MFA to the created user using the adminSetUserMFAPreference function. I set the software token MFA as preferred and as enabled. Also, I execute the associateSoftwareToken function to get a secret, in order to use it in the authenticator application.
4. I try to login using the adminInitiateAuth function expecting that I will receive in the response the SOFTWARE_TOKEN_MFA challenge, but this does not happen. I get the relevant tokens and no challenge (like MFA is disabled). I verify at the user information that the MFA is correctly set.

I do exactly the same process using SMS as MFA method and the behavior is the expected one. In step 4 (i.e. sign in after MFA was enabled), I get the SMS_MFA challenge.

Can you please elaborate why is this happening? Is something wrong in the process I am following?

I tried also to use the ALLOW_USER_PASSWORD_AUTH authentication flow (via initiateAuth function), for the login of the user but the result was the same.

질문됨 4년 전1296회 조회
3개 답변
1

Hello,

I leave this comment in case someone faces the same issue in the future. In order to have the TOTP MFA method to work, you have to do an extra step (apart the ones I described). More specific, after you have called the associateSoftwareToken to get a key and added it in your authenticator application, you must verify one TOTP code. So, in your application you should call the VerifySoftwareToken function with a valid accessToken and a valid TOTP code. If everything is successful, the next time you try to login (in my case using adminInitiateAuth ), you get the SOFTWARE_TOKEN_MFA challenge.

Best Regards,
Konstantinos

Edited by: ktzevelekidis on May 6, 2020 4:21 AM

답변함 4년 전
profile picture
전문가
검토됨 3시간 전
0

In your case is it working for all logins? I have a problem where the TOTP challenge is only sent on the first login after activation, did you find anything about it?

답변함 4년 전
0

Hello,

No, in my case it works as expected. Each time I try to login, it asks for the SOFTWARE_TOKEN_MFA challenge. In case it helps, I am using the adminInitiateAuth function for the login process.

Best Regards,
Konstantinos

답변함 4년 전

로그인하지 않았습니다. 로그인해야 답변을 게시할 수 있습니다.

좋은 답변은 질문에 명확하게 답하고 건설적인 피드백을 제공하며 질문자의 전문적인 성장을 장려합니다.

질문 답변하기에 대한 가이드라인