- Newest
- Most votes
- Most comments
Found a guide with descriptions including your dependencies:
Current ‘User Pool’ MFA setting: switched on as required or as optional
- Are they keeping phone number attribute?
The following steps are for a suggested workaround assuming that 1 above is required and no phone number as per 2 above:
1- From AWS Cognito Console, click on ‘Manage User Pools’. Click on your user pool and under ‘General settings’, select ‘MFA and Verifications’. From there, enable ‘SMS text message’ as an additional 2nd factor MFA.
2- You need to populate the phone number attribute By building a custom UI where the user can request to reset their MFA or directly without a UI: Use AdminUpdateUserAttributes call to populate the attribute directly
$ aws cognito-idp admin-update-user-attributes --user-pool-id <id value> --username <username> --user-attributes Name=phone_number,Value=”<user phone number>”
3- Use AdminSetUserMFAPreference to change the user preferred MFA from TOTP to SMS
$ aws cognito-idp admin-set-user-mfa-preference --sms-mfa-settings Enabled=true,PreferredMfa=true --user-pool-id <id value> --username <username>
4- When the user tries to login after that and they receive an access token once the pass the SMS MFA, invoke AssociateSoftwareToken similar to the following command:
$ aws cognito-idp associate-software-token --access-token <the received access token>
5- Return a key that can be used to enable TOTP from the app. Use that key to execute the following command:
$ aws cognito-idp verify-software-token --access-token <access token> --user-code <Get a current TOTP from the used app>
6- Revert back what has been done in step 3
$ aws cognito-idp admin-set-user-mfa-preference --software-token-mfa-settings Enabled=true,PreferredMfa=true --user-pool-id <id value> — username <username>
Relevant content
- asked 2 months ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 3 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a year ago
Sorry for the late response. For some reason i didnt get an email. I dont fully understand Step 4 and 5
When the user tries to login after that and they receive an access token once the pass the SMS MFA, invoke AssociateSoftwareToken similar to the following command
-- After changing the preferred MFA option, the user logs-in, are they going to be prompted for SMS MFA? Or just straight to authenticated?For Step 5:
Return a key that can be used to enable TOTP from the app. Use that key to execute the following command
Where is this key supposed to come from? Is the user going to be prompted to scan a QR Code in any of these steps?Right now, our user pool setting MFA method is just for Authenticator Apps. And it is using the hosted UI provided by Amplify as well.
Thank you so much for the help!
I have been battling the same use-case, and can't currently find a better solution than the one shared above, which unfortunately is quite cumbersome.
In answer to your follow up Q's I believe:
When the user tries to login after that and they receive an access token once the pass the SMS MFA, invoke AssociateSoftwareToken similar to the following command
- this would require the user to pass SMS MFA before being authenticated, assuming that: a) MFA is set to "Required" for the user pool, b) the user has a mobile number configured and c) SMS MFA is enabled for the user pool. Once authenticated the access token issued could be used to associate & verify a new software token, replacing the lost device.Return a key that can be used to enable TOTP from the app. Use that key to execute the following command
- this key is returned in response to the association-software-token request. It would be up to your application to present this code or generate a QR representation for the user to add to their TOTP app.