Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Email MFA is only way for all users after enable Email MFA

0

We are using aws cognito hosted sign up page. We enabled email/SMS/AUth app as MFA options in aws cognito, but after email MFA is enabled, the MFA selection step disappears after user signup. The email is set as the only MFA way the user can use by default, with no options for selection.

Have you met the same issue? Is it a bug or did I have any wrong configuration?

Enter image description here Enter image description here

Topics
Security, Identity, & Compliance
Tags
Amazon Cognito
Language
English
asked 10 months ago354 views
2 Answers
1
Accepted Answer

To allow users to switch from Email MFA to TOTP after signup, you'll need to implement a custom flow. Here is how:

  1. Keep Email MFA as default - Users sign up and get email MFA by default https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-mfa.html

  2. Implement MFA Change Flow: Use the SetUserMFAPreference API to change MFA type API Reference: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_SetUserMFAPreference.html

  3. Associate TOTP with user - Use AssociateSoftwareToken API https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AssociateSoftwareToken.html

  4. Verify TOTP setup - Use VerifySoftwareToken API https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_VerifySoftwareToken.html

  5. Set TOTP as preferred MFA - Use SetUserMFAPreference API again

  6. Implementing Custom Authentication Flow: You may need to customize the authentication flow to accommodate this change Guide: https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-authentication-flow.html

Make sure you're following best practices for MFA changes https://docs.aws.amazon.com/cognito/latest/developerguide/managing-security.html

SDK Documentation: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools-working-with-aws-sdk.html

Remember, this approach requires custom development on your part. You'll need to create a user interface for initiating and managing the MFA change process, handle potential errors, and ensure a smooth user experience throughout the transition.

AWS
answered 10 months ago
AWS
EXPERT
reviewed 8 months ago
  • Zeno
    10 months ago

    Thx Rumaisa! This is really helpful

1

This is actually the intended functionality, though it's not immediately apparent from the configuration options. When Email MFA is enabled in Cognito, the system automatically enforces it as the default and only MFA method, bypassing the MFA selection screen entirely. This is part of Cognito's design, where email MFA is treated as a required verification method rather than an optional MFA choice.

If you need to provide MFA options to your users, here are the recommended approaches:

  1. For multiple MFA choices: Disable Email MFA Enable only SMS and/or TOTP (authenticator app) as MFA options

2.Recommended configuration: Implement email verification during the sign-up process Configure SMS/TOTP as MFA options This provides both email verification and MFA flexibility https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-mfa.html

AWS
answered 10 months ago
EXPERT
reviewed 10 months ago
  • Zeno
    10 months ago

    Got it. Thx Rumaisa. Some users like the email MFA, but some still want to use TOTP. Is it possible to keep the email MFA as the default way, but provide a way for users to change the MFA to TOTP after they sign up?

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content