The Cognito Javascript SDK example snippets contain the following markup:
cognitoUser.enableMFA(function(err, result) {
if (err) {
alert(err);
return;
}
console.log('call result: ' + result);
});
Does Cognito differentiate between MFA using TOTP or SMS? For example the snippet above does not allow us to select what type of MFA we want, so is that something that is setup during pool configuration?
Scrolling all the way to the bottom of the examples document reveals this code sample:
totpMfaSettings = {
PreferredMfa : true,
Enabled : true
};
cognitoUser.setUserMfaPreference(null, totpMfaSettings, function(err, result) {
if (err) {
alert(err);
}
console.log('call result ' + result)
});
The PreferredMFA parameter seems like a strange way to specify that TOTP is preferred. So would we setup users for SMS MFA by default and then switch them to TOTP using a API call like shown above? Also how do we pass the initial TOTP QRCode / seed and which TOTP app is the user using?
It seems to me the AWS Cognito documentation and API is very confusing, and here "enableMFA" "disableMFA" means only SMS MFA. If you want to choose between SMS and TOTP, use cognitoUser.setUserMfaPreference. Also, AWS.CognitoIdentityServiceProvider.getUser API allows you to check the MFA preference.