Cognito TOTP MFA issue

0

Hello,

I am trying to integrate AWS Cognito to my Java application and I am facing some issues with TOTP MFA. More specific:

AWS Java SDK version
1.11.755

Cognito configuration
1. Users sign in using email address
2. Sign up is only allowed by administrators
3. MFA is optional and only TOTP is supported
4. An application client is created without secret, which only supports ALLOW_ADMIN_USER_PASSWORD_AUTH authentication flow

Process
1. I create a user using the adminCreateUser function
2. I try to login using the adminInitiateAuth function. The first time I login when MFA is not yet enabled, I get the relevant tokens successfully, without having to respond to an authentication challenge (i.e. SOFTWARE_TOKEN_MFA )
3. I enable the MFA to the created user using the adminSetUserMFAPreference function. I set the software token MFA as preferred and as enabled. Also, I execute the associateSoftwareToken function to get a secret, in order to use it in the authenticator application.
4. I try to login using the adminInitiateAuth function expecting that I will receive in the response the SOFTWARE_TOKEN_MFA challenge, but this does not happen. I get the relevant tokens and no challenge (like MFA is disabled). I verify at the user information that the MFA is correctly set.

I do exactly the same process using SMS as MFA method and the behavior is the expected one. In step 4 (i.e. sign in after MFA was enabled), I get the SMS_MFA challenge.

Can you please elaborate why is this happening? Is something wrong in the process I am following?

I tried also to use the ALLOW_USER_PASSWORD_AUTH authentication flow (via initiateAuth function), for the login of the user but the result was the same.

asked 3 years ago330 views
3 Answers
0

Hello,

I leave this comment in case someone faces the same issue in the future. In order to have the TOTP MFA method to work, you have to do an extra step (apart the ones I described). More specific, after you have called the associateSoftwareToken to get a key and added it in your authenticator application, you must verify one TOTP code. So, in your application you should call the VerifySoftwareToken function with a valid accessToken and a valid TOTP code. If everything is successful, the next time you try to login (in my case using adminInitiateAuth ), you get the SOFTWARE_TOKEN_MFA challenge.

Best Regards,
Konstantinos

Edited by: ktzevelekidis on May 6, 2020 4:21 AM

answered 3 years ago
0

In your case is it working for all logins? I have a problem where the TOTP challenge is only sent on the first login after activation, did you find anything about it?

answered 2 years ago
0

Hello,

No, in my case it works as expected. Each time I try to login, it asks for the SOFTWARE_TOKEN_MFA challenge. In case it helps, I am using the adminInitiateAuth function for the login process.

Best Regards,
Konstantinos

answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions