AWS Cognito: Is there a method to switch MFA type DURING authentication?

1
votes

I am researching AWS Cognito by building a demo. Now I can set user MFA preference to enable SMS and / or TOTP, and set one of them as preferred MFA type. Then, when next time user authenticate, user will be challenged with SMS or TOTP verification code according to the preferred MFA type.

My question is, what if user want to switch MFA type after initial password authentication but before MFA response? For example, user may have TOTP on another device other than his phone. User set SMS as preferred MFA type but realized, after sending password and being challenged to provide SMS verification code, that he didn't have his phone around but the TOTP device is available. How can the user switch to TOTP at this moment? Or, if user preference is TOTP but he want to switch to SMS at the same circumstance? What API to call?

I cannot find an API method to call from the documents. Maybe this can only be achieved through lambda triggers? In my opinion this is a rather common situation and should be provided with an example / API method.

Best regards,

Bing

1
amazon-web-servicesauthenticationamazon-cognitomulti-factor-authentication

1 Answers

1
votes

You can allow users to select between SMS MFA & TOTP MFA, if user has setup both MFA's but none of them is selected as the preferred one. Following python code does this:

client = boto3.client('cognito-idp')
response = client.set_user_mfa_preference(
SMSMfaSettings={
    'Enabled': True,
    'PreferredMfa': False
},
SoftwareTokenMfaSettings={
    'Enabled': True,
    'PreferredMfa': False
},
AccessToken=accessToken
)

Note: User must associate TOTP before enabling the TOTP as MFA, else it will throw an error.

After setting up these changes when you call user authentication function, it will give the options to select for MFA in the challenge.