when using setPreferredMFA the SMS MFA Status in Cognito user pools is disabled even if setPreferredMFA is set.
What does SMS MFA Status represent and what does it do when I enable it or disable it?
Thank you
This is nothing more but an inconsistency in AWS console/API responses. Example: Let's enable SMS MFA for a user:
aws cognito-idp set-user-mfa-preference --sms-mfa-settings Enabled=true,PreferredMfa=true --access-token <value>
Yes, in console it still looks as if SMS MFA was not enabled. But this is not true. Let's get our user's data:
aws cognito-idp get-user --access-token <value>
{
"Username": "[email protected]",
"UserAttributes": [
{
"Name": "sub",
"Value": "491a3eba-381f-4c87-a7d6-befa21e49e82"
},
{
"Name": "email_verified",
"Value": "true"
},
{
"Name": "phone_number_verified",
"Value": "true"
},
{
"Name": "phone_number",
"Value": "+1234567890"
},
{
"Name": "email",
"Value": "[email protected]"
}
],
"PreferredMfaSetting": "SMS_MFA",
"UserMFASettingList": [
"SMS_MFA"
]
}
What you want to look at is the PreferredMfaSetting
attribute. It tells you what your user choose for himself/herself.
And if you now try to authenticate like this:
aws cognito-idp initiate-auth --auth-flow USER_PASSWORD_AUTH --client-id <value> --auth-parameters USERNAME=<value>,PASSWORD=<value>
You will receive a response like this:
{
"ChallengeName": "SMS_MFA",
"Session": "<session-value>",
"ChallengeParameters": {
"CODE_DELIVERY_DELIVERY_MEDIUM": "SMS",
"CODE_DELIVERY_DESTINATION": "+*********7890",
"USER_ID_FOR_SRP": "[email protected]"
}
}
Ok, so what is this thing in console doing? It is actually deprecated. Take a look at the documentation of the MFAOptions
here: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_GetUser.html
So let's just enable SMS MFA through the console and then check the output of GetUser
:
{
"Username": "[email protected]",
"UserAttributes": [
{
"Name": "sub",
"Value": "491a3eba-381f-4c87-a7d6-befa21e49e82"
},
{
"Name": "email_verified",
"Value": "true"
},
{
"Name": "phone_number_verified",
"Value": "true"
},
{
"Name": "phone_number",
"Value": "+1234567890"
},
{
"Name": "email",
"Value": "[email protected]"
}
],
"MFAOptions": [
{
"DeliveryMedium": "SMS",
"AttributeName": "phone_number"
}
],
"PreferredMfaSetting": "SMS_MFA",
"UserMFASettingList": [
"SMS_MFA"
]
}
That's pretty much it.