Resending MFA Code in AWS Cognito Without Re-authentication

In AWS Cognito, it is not possible to resend an MFA code without re-authentication using just the session and username. The process for handling MFA in Cognito typically follows these steps:

1. The user initiates authentication with their username and password.
2. If MFA is enabled, Cognito responds with a challenge, usually SOFTWARE_TOKEN_MFA or SMS_MFA.
3. The user then needs to provide the MFA code to complete the authentication.

If a user doesn't receive the MFA code, they cannot simply request a resend using only the session and username. Instead, the recommended approach is to have the user go through the authentication process again from the beginning. This means they would need to sign in with their username and password once more.

The reason for this is that Cognito treats each authentication attempt as a separate session for security purposes. When a user initiates a new sign-in, a new challenge is generated, and a new MFA code is sent.

If you need to implement a feature where users can request a new MFA code without full re-authentication, you would need to design a custom solution. This might involve:

1. Implementing a separate API or Lambda function to handle resend requests.
2. Storing session information securely on your end.
3. Implementing additional security measures to ensure the resend request is legitimate.

However, it's important to note that such a custom solution would not be a native feature of AWS Cognito and would require careful consideration of security implications.

For the best security practices and to align with Cognito's design, it's recommended to have users go through the full authentication process if they need a new MFA code.
Sources
Use RespondToAuthChallenge with an AWS SDK or CLI - Amazon Cognito
Use RespondToAuthChallenge with an AWS SDK or CLI - AWS SDK Code Examples