Cognito error for MFA Totp



I setup a cognito user pool, and I have one user there, with software token MFA enabled. I am trying to send a SELECT_MFA_TYPE challenge (from a Java app, with the challenge responses containing an "ANSWER" with value "SOFTWARE_TOKEN_MFA"), but I keep getting The chosen MFA method cannnot be triggered. (Service: AWSCognitoIdentityProvider; Status Code: 400; Error Code: NotAuthorizedException;). I am not sure what is the issue, I don't see any other information that could help me debug. Does anyone have any idea what could be causing this?

Thank you, Irina

asked 7 months ago389 views
1 Answer

The error message you are encountering, "The chosen MFA method cannot be triggered," typically occurs when there is an issue with the MFA settings or the user's MFA status in Amazon Cognito. To resolve this issue, you can check the following:

  1. MFA Configuration in Cognito: Ensure that you have configured Multi-Factor Authentication (MFA) correctly in your Cognito User Pool.

    • Verify that MFA is enabled for the user pool.
    • Check that the software token MFA method is enabled in the MFA settings of your user pool. To do this, go to the AWS Cognito console, select your user pool, navigate to the MFA and verifications tab, and make sure "Optional" or "Required" is selected for "Which second factors do you want to enable?"
    • Confirm that the user pool has software token MFA enabled at the user level.
  2. User's MFA Status: Check the MFA status of the user you are trying to challenge. The user must have MFA configured and enabled in their profile.

    • In the AWS Cognito console, navigate to the "Users and groups" section, find the user, and verify that they have MFA enabled and associated with a software token.
  3. Challenge Name and Response: Ensure that you are sending the correct challenge name and response in your Java application. When you send the SELECT_MFA_TYPE challenge, make sure that you include "SOFTWARE_TOKEN_MFA" as the answer.

// Example Java code
Map<String, String> challengeResponses = new HashMap<>();
challengeResponses.put("ANSWER", "SOFTWARE_TOKEN_MFA");

  1. User's Device and TOTP Setup: Verify that the user has set up a Time-Based One-Time Password (TOTP) software token on their device (e.g., a mobile authenticator app like Google Authenticator or Authy). Without a TOTP setup on the user's device, they won't be able to respond to the software token MFA challenge.

  2. Refresh Token or Session Issues: Sometimes, issues can arise due to expired tokens or sessions. If the user's session or refresh token has expired, it can result in MFA challenges not working as expected. Ensure that your user's tokens are still valid.

  3. Logs and Debugging: Enable logging and debugging in your Java application to capture any additional information or error messages that might provide more details about the issue. AWS CloudWatch logs can be useful for this purpose.

If you've checked all of the above and the issue persists, consider reviewing your Cognito user pool configuration and potentially creating a new user pool to see if the issue is specific to the current configuration. Additionally, make sure that you are using the latest version of the AWS SDK for Java to interact with Cognito.

answered 7 months ago
profile picture
reviewed 18 days ago
  • Thank you very much for the suggestions. My issue was actually the fact that I sent the SELECT_MFA_TYPE challenge for a user with only the software token MFA enabled. It seems that challenge throws an error if the user doesn't have both MFA methods enabled :D

  • You're welcome! I'm glad you were able to identify the issue. Yes, the SELECT_MFA_TYPE challenge is designed to let users choose between multiple MFA methods if they have more than one enabled. If a user only has one MFA method enabled (in your case, software token MFA), there's no need to present the choice, and that's why it was causing an error.

    Thank you for sharing the resolution to your issue, and if you have any more questions or encounter any other challenges, feel free to ask. Good luck with your development!

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions