AWS Cognito SMS MFA setup flow with boto3

Question

What should be the correct login flow after enabling MFA if the user has not specified a phone number in advance?

Hosted UI (or Managed Login) flow looks like this:
user enter login and password
user select sms method
user enter phone number
user enter code from phone
log in, add verify phone number and set SMS as default MFA method
How can I reproduce this flow with boto3?

My current temprorary boto3 flow:
* user enter login and password initiate_auth - return MFA_SETUP session
* user select sms method
* user enter phone number admin_update_user_attributes - set phone admin_set_user_mfa_preference - set sms mfa initiate_auth with the login and password previously saved as url parameters (not the best solution) - return SMS_MFA session
* user enter code from phone respond_to_auth_challenge with SMS_MFA - return tokens and verify phone

In this solution I need to add phone before it verification, which is not the best option. While with Hosted UI the phone is added and verified only after entering the code. How can I reproduce a solution similar to Hosted UI?

re:Post Agent · Answer

To reproduce a flow similar to the Hosted UI using boto3 for AWS Cognito SMS MFA setup, you can follow these steps:

1. Initiate authentication:
   Use `initiate_auth` or `admin_initiate_auth` with the user's login and password. This will return a session token.

2. Handle MFA_SETUP challenge:
   If the response includes a `ChallengeName` of `MFA_SETUP`, you'll need to set up MFA for the user.

3. Collect phone number:
   Prompt the user to enter their phone number.

4. Associate phone number and set up SMS MFA:
   Use `admin_update_user_attributes` to add the phone number to the user's attributes.
   Then use `admin_set_user_mfa_preference` to set SMS as the preferred MFA method.

5. Restart authentication:
   Use `initiate_auth` or `admin_initiate_auth` again with the user's credentials.

6. Handle SMS_MFA challenge:
   The response should now include a `ChallengeName` of `SMS_MFA`. Amazon Cognito will send an SMS code to the user's phone.

7. Verify code:
   Prompt the user to enter the code they received. Use `respond_to_auth_challenge` with the challenge name `SMS_MFA` and the code as the response.

8. Complete authentication:
   If the code is correct, `respond_to_auth_challenge` will return the authentication tokens.

This flow allows you to set up SMS MFA during the login process without requiring the phone number to be pre-verified. The phone number is added and the MFA method is set up before the user receives the SMS code, similar to the Hosted UI flow. The phone number is effectively verified when the user successfully enters the SMS code.

Note that this approach still adds the phone number before verification, but it closely mimics the Hosted UI flow by verifying the phone number as part of the MFA setup process. If you need to ensure the phone number is not added until after verification, you may need to implement a custom authentication flow or use AWS Lambda triggers to handle the verification process more granularly.  
**Sources**  
[RespondToAuthChallenge - Amazon Cognito User Pools](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_RespondToAuthChallenge.html)  
[AdminRespondToAuthChallenge - Amazon Cognito User Pools](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminRespondToAuthChallenge.html)  
[InitiateAuth - Amazon Cognito User Pools](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_InitiateAuth.html)  
[AdminInitiateAuth - Amazon Cognito User Pools](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminInitiateAuth.html)

AWS Cognito SMS MFA setup flow with boto3

Add your answer

Relevant content