Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Cognito MFA for existing user

0

Hello,
Is there possible to add MFA authentication for an existing Cognito user, with a TOTP from an authenticator app such as Authy ? I tried from Update MFA configuration screen, but I got the error:

code: InvalidParameterException
message: User does not have delivery config set to turn on SOFTWARE_TOKEN_MFA

Is there a link with description for the procedure of setup MFA using Management Console or another way ?
Thank you,

Topics
Security, Identity, & Compliance
Tags
Multi-factor AuthenticationAmazon Cognito
Language
English
asked 4 days ago43 views
3 Answers
2

The error User does not have delivery config set to turn on SOFTWARE_TOKEN_MFA means the user hasn't completed the TOTP software token association step before you tried to enable MFA. Cognito requires a specific sequence to set up TOTP-based MFA.

The Required Flow You can't just flip MFA on from the console for an existing user without first associating a TOTP token. Here's the process:

  1. Enable TOTP MFA at the User Pool level In the AWS Console:

Go to Amazon Cognito → your User Pool → Sign-in experience tab Under Multi-factor authentication, make sure Authenticator apps (TOTP) is checked as an available MFA method Set MFA enforcement to either Required or Optional 2. The user must associate a TOTP token (this is the missing step) This is the part that causes your error. The user needs to go through the AssociateSoftwareToken → VerifySoftwareTokenResponse flow before MFA can be turned on. This cannot be done purely from the Management Console for an existing user — it requires API calls or the user going through your app's setup flow.

Using the AWS CLI:

Step 1: Get a session for the user (admin-initiated) aws cognito-idp admin-initiate-auth
--user-pool-id us-east-1_@@@@
--client-id your-app-client-id
--auth-flow ADMIN_USER_PASSWORD_AUTH
--auth-parameters USERNAME=theuser,PASSWORD=theirpassword

Step 2: Associate a software token (use the session from step 1) aws cognito-idp associate-software-token
--session "session-string-from-step-1"

This returns a SecretCode — the user scans this as a QR code in Authy/Google Authenticator

Step 3: Verify the token (user provides a code from their authenticator app) aws cognito-idp verify-software-token
--session "session-string-from-step-2"
--user-code 123456

Step 4: Now you can set the user's MFA preference aws cognito-idp admin-set-user-mfa-preference
--user-pool-id us-east-1_@@@@
--username theuser
--software-token-mfa-settings Enabled=true,PreferredMfa=true 3. Alternative: Let the user self-configure via your app If the user is already signed in with valid access tokens, you can use:

With the user's access token aws cognito-idp associate-software-token
--access-token "user-access-token"

Then verify aws cognito-idp verify-software-token
--access-token "user-access-token"
--user-code 123456

Then set preference aws cognito-idp set-user-mfa-preference
--access-token "user-access-token"
--software-token-mfa-settings Enabled=true,PreferredMfa=true Why the Console Alone Doesn't Work The Management Console's "Update MFA configuration" button tries to set the MFA preference, but skips the token association step. Without a registered TOTP device, Cognito rejects it. This is a known UX gap in the console.

Reference https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-mfa-totp.html

EXPERT
answered 4 days ago
EXPERT
reviewed 4 days ago
  • rePost-User-4717319
    4 days ago

    Thank you for your answer, I did all the MFA setup only from console, for an existing user: there is a New option in Amazon Cognito screen -> Authentication section -> Sign-in option (has New flag on 03.06.2026 : Passkey user verification as MFA method). For more details you can read my answer.

2

Yes, however, you cannot simply enable SOFTWARE _TOKEN_USER for an existing user unless that user has already completed the TOTP registration process.

The error that you are seeing typically occurs when you call the AdminSetUserMFAPreference/SetUserMFAPreference before the user has associated and verified a software token.

Take a look at having the user set up the TOTP token and then try enabling the user again. Let me know if you see a different error after the TOTP registration process. Thanks and good luck!

AWS
answered 4 days ago
EXPERT
reviewed 4 days ago
  • rePost-User-4717319
    4 days ago

    Thank you for your answer, Please see in my answer the solution that worked without disabling the user. there is a New option in Amazon Cognito screen -> Authentication section -> Sign-in option (has New flag on 03.06.2026 : Passkey user verification as MFA method).

1

Hello again, After some investigations, I found a way to activate MFA for an existing user from Management Console:

  • in Amazon Cognito screen -> Authentication section -> Sign-in option (has New flag on 03.06.2026 : Passkey user verification as MFA method)
  • the interface that appears contains a Multi-factor authentication section
  • on Edit, a new screen appear where Require MFA + MFA methods -> Authenticator apps, should be checked
  • on login into the client web application, a new screen appears with MFA QR code
  • this QR code should be used into an MFA authenticator application, like Authy
  • in Amazon Cognito screen -> User management section -> Users option
  • the interface that appears contains multiple users, where the desired is selected
  • in the new screen with the user, on the right side, at the top, there is an option: Update MFA configuration
  • check Authenticator apps and save
  • on new loggin, in the web client application, the token from Authy is required
answered 4 days ago
EXPERT
reviewed 4 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content