Menu
I have a Cognito user pool which has MFA set to Required with TOTP only (i.e. no SMS).
My question is how do I reset the MFA for a user? For example what if the user loses his phone so he doesn't have anyway to login.
I have tried reset password but that only resets the password, it doesn't remove the MFA.
At the bottom of this AWS documentation, it says
NOTE A delete TOTP software token operation is not currently available in the API. This functionality is planned for a future release. Use SetUserMFAPreference to disable TOTP MFA for an individual user.
So I tried SetUserMFAPreference and AdminSetUserMFAPreference, they just return 200 OK but doesn't actually disable the MFA. I guess it's due to the user pool has MFA set to Required.
459
In order to change a Cognito user's status from FORCE_CHANGE_PASSWORD to CONFIRMED , we have to change their password. To change a Cognito user's password, use the admin-set-password command, setting the --permanent parameter. Copied!
To update a cognito user's attributes use the admin-update-user-attributes command, specifying the user-pool-id , username and user-attributes parameters.
The user name is a fixed value that users can't change. If you mark an attribute as an alias, users can sign in with that attribute in place of the user name. You can mark the email address, phone number, and preferred username attributes as aliases.
I found that it is possible to change MFA settings to 'Required' even after users are added to the user pool. So, you don't have to create another user pool.
It is impossible to change it from the console, but aws cli (and probably via set_user_pool_mfa_config() API) can change it like:
% aws cognito-idp set-user-pool-mfa-config --user-pool-id <userpool_id> --mfa-configuration ON --software-token-mfa-configuration Enabled=true
Although I couldn't find the way to delete/change the "each user's MFA (OTP)".
140
At this point, since AWS does not support resetting the MFA (if your user pool requires MFA - disabling MFA using AdminSetUserMFAPreference will return 200 OK but it will do nothing), the only way to do this is to create a new user pool with optional MFA (you have to create a new one since changing from required to optional is prohibited once the user pool is created). Then with the new user pool, you have to enforce the MFA (if that's something that you want) manually within your code.
For that, once the user logs in successfully and the return object has the tokens in it, you have to call AssociateSoftwareToken instead of returning the tokens and start the MFA registration process. The tokens (like IdToken) will only be returned to the user when they managed to complete the call to AdminRespondToAuthChallenge successfully.
Bottom line, with the optional MFA, the AdminSetUserMFAPreference will work. And this is the only way to reset MFA in a user pool on AWS (at this point).
[UPDATE]
Not that my original answer was invalid, but just to provide more information, here's some extra explanation on how to use AdminSetUserMFAPreference:
First of all, you need a user pool with optional MFA. The optional is the keyword here. This solution does not work on a user pool with required MFA.
Having the user pool setup, I assume there's a user properly signed up to your user pool. This means that they can authenticate themselves against your user pool without any issues. Of course, the whole point is that they need to provide MFA as part of their authentication process. But since we already established, MFA is optional in your user pool so if you insist on enforcing MFA on your users, that means you have to do so within your code manually.
Alright, so far everyone's happy. But just as the reality, come the sad days. Your user loses their MFA codes and cannot generate any new ones. So you would like to provide them with the possibility of resetting their MFA by re-registring a new device. Of course, first, you need to make sure that it's the actual user requesting such a thing. I mean you don't want anyone (but the true user) to be able to make such a request. So you need to authenticate them first. But the fact that they cannot authenticate (due to missing MFA) is the whole reason why they ended up here. So what can you do now? Well, even though this part is out of the scope of this post, but as a small hint, you can send them an email with a code and ask them to return it back to you as a one-time authentication mechanism.
OK, back to the question at hand. Now, you are sure that it's the actual account owner is requesting the MFA reset. And this is how you do it:
async function resetMfa(username) {
const cognito = new AWS.CognitoIdentityServiceProvider();
await cognito.adminSetUserMFAPreference({
UserPoolId: "user pool ID",
Username: username,
SoftwareTokenMfaSettings: {
Enabled: false,
}
}).promise();
}
Once their MFA is disabled, in order to re-register a new device, the account owner has to attempt a new login. This attempt will be just like the first time they are logging into their account and they will be asked to register a new MFA device.
I hope that clarifies things a bit more. If you want to know how to use MFA (manually), I have this other post which addresses it.
38
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
