Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Cognito MFA for existing user

0

Hello,
Is there possible to add MFA authentication for an existing Cognito user, with a TOTP from an authenticator app such as Authy ? I tried from Update MFA configuration screen, but I got the error:

code: InvalidParameterException
message: User does not have delivery config set to turn on SOFTWARE_TOKEN_MFA

Is there a link with description for the procedure of setup MFA using Management Console or another way ?
Thank you,

Topics
Security, Identity, & Compliance
Tags
Multi-factor AuthenticationAmazon Cognito
Language
English
asked 11 days ago67 views
3 Answers
2

The error User does not have delivery config set to turn on SOFTWARE_TOKEN_MFA means the user hasn't completed the TOTP software token association step before you tried to enable MFA. Cognito requires a specific sequence to set up TOTP-based MFA.

The Required Flow You can't just flip MFA on from the console for an existing user without first associating a TOTP token. Here's the process:

  1. Enable TOTP MFA at the User Pool level In the AWS Console:

Go to Amazon Cognito → your User Pool → Sign-in experience tab Under Multi-factor authentication, make sure Authenticator apps (TOTP) is checked as an available MFA method Set MFA enforcement to either Required or Optional 2. The user must associate a TOTP token (this is the missing step) This is the part that causes your error. The user needs to go through the AssociateSoftwareToken → VerifySoftwareTokenResponse flow before MFA can be turned on. This cannot be done purely from the Management Console for an existing user — it requires API calls or the user going through your app's setup flow.

Using the AWS CLI:

Step 1: Get a session for the user (admin-initiated) aws cognito-idp admin-initiate-auth
--user-pool-id us-east-1_@@@@
--client-id your-app-client-id
--auth-flow ADMIN_USER_PASSWORD_AUTH
--auth-parameters USERNAME=theuser,PASSWORD=theirpassword

Step 2: Associate a software token (use the session from step 1) aws cognito-idp associate-software-token
--session "session-string-from-step-1"

This returns a SecretCode — the user scans this as a QR code in Authy/Google Authenticator

Step 3: Verify the token (user provides a code from their authenticator app) aws cognito-idp verify-software-token
--session "session-string-from-step-2"
--user-code 123456

Step 4: Now you can set the user's MFA preference aws cognito-idp admin-set-user-mfa-preference
--user-pool-id us-east-1_@@@@
--username theuser
--software-token-mfa-settings Enabled=true,PreferredMfa=true 3. Alternative: Let the user self-configure via your app If the user is already signed in with valid access tokens, you can use:

With the user's access token aws cognito-idp associate-software-token
--access-token "user-access-token"

Then verify aws cognito-idp verify-software-token
--access-token "user-access-token"
--user-code 123456

Then set preference aws cognito-idp set-user-mfa-preference
--access-token "user-access-token"
--software-token-mfa-settings Enabled=true,PreferredMfa=true Why the Console Alone Doesn't Work The Management Console's "Update MFA configuration" button tries to set the MFA preference, but skips the token association step. Without a registered TOTP device, Cognito rejects it. This is a known UX gap in the console.

Reference https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-mfa-totp.html

EXPERT
answered 11 days ago
EXPERT
reviewed 11 days ago
  • rePost-User-4717319
    11 days ago

    Thank you for your answer, I did all the MFA setup only from console, for an existing user: there is a New option in Amazon Cognito screen -> Authentication section -> Sign-in option (has New flag on 03.06.2026 : Passkey user verification as MFA method). For more details you can read my answer.

2

Yes, however, you cannot simply enable SOFTWARE _TOKEN_USER for an existing user unless that user has already completed the TOTP registration process.

The error that you are seeing typically occurs when you call the AdminSetUserMFAPreference/SetUserMFAPreference before the user has associated and verified a software token.

Take a look at having the user set up the TOTP token and then try enabling the user again. Let me know if you see a different error after the TOTP registration process. Thanks and good luck!

AWS
answered 11 days ago
EXPERT
reviewed 11 days ago
  • rePost-User-4717319
    11 days ago

    Thank you for your answer, Please see in my answer the solution that worked without disabling the user. there is a New option in Amazon Cognito screen -> Authentication section -> Sign-in option (has New flag on 03.06.2026 : Passkey user verification as MFA method).

1

Hello again, After some investigations, I found a way to activate MFA for an existing user from Management Console:

  • in Amazon Cognito screen -> Authentication section -> Sign-in option (has New flag on 03.06.2026 : Passkey user verification as MFA method)
  • the interface that appears contains a Multi-factor authentication section
  • on Edit, a new screen appear where Require MFA + MFA methods -> Authenticator apps, should be checked
  • on login into the client web application, a new screen appears with MFA QR code
  • this QR code should be used into an MFA authenticator application, like Authy
  • in Amazon Cognito screen -> User management section -> Users option
  • the interface that appears contains multiple users, where the desired is selected
  • in the new screen with the user, on the right side, at the top, there is an option: Update MFA configuration
  • check Authenticator apps and save
  • on new loggin, in the web client application, the token from Authy is required
answered 11 days ago
EXPERT
reviewed 11 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content