Search code examples
amazon-cognitomulti-factor-authenticationtotp

Error trying to set up user MFA Preferences

I'm using the AWS CLI to enable a MFA user pool with only TOTP MFA (no SMS).

aws cognito-idp set-user-pool-mfa-config --user-pool-id xxxx_xxxx --mfa-configuration OPTIONAL --software-token-mfa-configuration Enabled=true

{
    "SoftwareTokenMfaConfiguration": {
        "Enabled": true
    },
    "MfaConfiguration": "OPTIONAL"
}

Seems okay, right? But when I try to set up an user preference I keep getting this error:

An error occurred (InvalidParameterException) when calling the AdminSetUserMFAPreference operation: User has not set up software token mfa

Command: aws cognito-idp admin-set-user-mfa-preference --user-pool-id xxxx_xxxx --username [email protected] --software-token-mfa-settings Enabled=true

Tryin to use admin-set-user-preference also doesn't work: aws cognito-idp admin-set-user-settings --user-pool-id us-xxxx-xxxx--username [email protected] --mfa-option DeliveryMedium=EMAIL

An error occurred (InvalidParameterException) when calling the AdminSetUserSettings operation: Only phone_number attribute is currently supported as a MFA option.

What am I missing? Does it need an extra configuration not mentioned anywhere in documentation?

Solution:

First you need to get the ACCESS_TOKEN for the user and proceed to start the TOTP process:

aws cognito-idp associate-software-token --access-token ACCESS_TOKEN

(this will generate a unique code that you could use in Google Authenticator)

With the TOTP code retrieved from the Authenticator app run:

aws cognito-idp verify-software-token --access-token ACCESS_TOKEN --user-code USER_CODE

With the successfull message from the previous command you can change the user preference:

aws cognito-idp admin-set-user-mfa-preference --user-pool-id xxxxx --username xxxxxxx --software-token-mfa-settings Enabled=True,PreferredMfa=True

Solution

  • Solution:

    First you need to get the ACCESS_TOKEN for the user and proceed to start the TOTP process:

    aws cognito-idp associate-software-token --access-token ACCESS_TOKEN

    (this will generate a unique code that you could use in Google Authenticator)

    With the TOTP code retrieved from the Authenticator app run:

    aws cognito-idp verify-software-token --access-token ACCESS_TOKEN --user-code USER_CODE

    With the successfull message from the previous command you can change the user preference:

    aws cognito-idp admin-set-user-mfa-preference --user-pool-id xxxxx --username xxxxxxx --software-token-mfa-settings Enabled=True,PreferredMfa=True