Is it possible via the cognito API to change a users status to MFA_SETUP programatically on a user pool which has mfa set to optional?
Our use case is we setup users with different groups and want to enforce mfa only on our admin group. From what gather from the documentation the MFA_SETUP status will send a challenge to the user to setup mfa on login but I'm not sure if that is only possible if mfa is required on the user pool. If there is another way to force a user to setup mfa while keeping the pool to be mfa optional that would also be fine. We are also not using the hosted ui and are using the cognito server side authentication flow.
When your user pool MFA setting is set to optional, Cognito won't respond with the MFA setup challenge automatically. You need to explicitly make the call to setup MFA from your client for Cognito to respond with the appropriate challenge to set up authenticator based MFA.
Using the AWS SDK, the method to set up MFA for a user is AssociateSoftwareToken, which which will respond with the secret code you could show as a QR code to set up the user's MFA. Here is the API reference for this call.
After your user verifies the code, they will get the "SOFTWARE_TOKEN_MFA" challenge when they attempt to log in. Follow this AWS guide if you still need help with the remaining steps to verify and authenticate the MFA code.
TIP: Since this call requires a valid session and access token, you need to have authenticated your user first.