Search code examples
amazon-cognitomulti-factor-authentication

Is SMS MFA Status in Cognito user pools set by calling setPreferredMFA or is that something else?

when using setPreferredMFA the SMS MFA Status in Cognito user pools is disabled even if setPreferredMFA is set.

What does SMS MFA Status represent and what does it do when I enable it or disable it?

Thank you

Solution

  • This is nothing more but an inconsistency in AWS console/API responses. Example: Let's enable SMS MFA for a user:

    aws cognito-idp set-user-mfa-preference --sms-mfa-settings Enabled=true,PreferredMfa=true --access-token <value>

    Yes, in console it still looks as if SMS MFA was not enabled. But this is not true. Let's get our user's data:

    aws cognito-idp get-user --access-token <value>

    {
    "Username": "[email protected]",
    "UserAttributes": [
        {
            "Name": "sub",
            "Value": "491a3eba-381f-4c87-a7d6-befa21e49e82"
        },
        {
            "Name": "email_verified",
            "Value": "true"
        },
        {
            "Name": "phone_number_verified",
            "Value": "true"
        },
        {
            "Name": "phone_number",
            "Value": "+1234567890"
        },
        {
            "Name": "email",
            "Value": "[email protected]"
        }
    ],
    "PreferredMfaSetting": "SMS_MFA",
    "UserMFASettingList": [
        "SMS_MFA"
    ]
}

    What you want to look at is the PreferredMfaSetting attribute. It tells you what your user choose for himself/herself.

    And if you now try to authenticate like this:

    aws cognito-idp initiate-auth --auth-flow USER_PASSWORD_AUTH --client-id <value> --auth-parameters USERNAME=<value>,PASSWORD=<value>

    You will receive a response like this:

    {
    "ChallengeName": "SMS_MFA",
    "Session": "<session-value>",
    "ChallengeParameters": {
        "CODE_DELIVERY_DELIVERY_MEDIUM": "SMS",
        "CODE_DELIVERY_DESTINATION": "+*********7890",
        "USER_ID_FOR_SRP": "[email protected]"
    }
}

    Ok, so what is this thing in console doing? It is actually deprecated. Take a look at the documentation of the MFAOptions here: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_GetUser.html

    So let's just enable SMS MFA through the console and then check the output of GetUser:

    {
    "Username": "[email protected]",
    "UserAttributes": [
        {
            "Name": "sub",
            "Value": "491a3eba-381f-4c87-a7d6-befa21e49e82"
        },
        {
            "Name": "email_verified",
            "Value": "true"
        },
        {
            "Name": "phone_number_verified",
            "Value": "true"
        },
        {
            "Name": "phone_number",
            "Value": "+1234567890"
        },
        {
            "Name": "email",
            "Value": "[email protected]"
        }
    ],
    "MFAOptions": [
        {
            "DeliveryMedium": "SMS",
            "AttributeName": "phone_number"
        }
    ],
    "PreferredMfaSetting": "SMS_MFA",
    "UserMFASettingList": [
        "SMS_MFA"
    ]
}

    That's pretty much it.