Steps to attach MFA to User in Amazon Cognito
-
Add MFA to UserPool using this link
-
Get the Access Token with the Go script in this folder.
-
Run the AssociateSoftwareToken Command
aws cognito-idp associate-software-token --access-token ACCESS_TOKEN
Output will look like something like this
{
"SecretCode":
"AETQ6XXMDFYMEPFQQ7FD4HKXXXXAOY3MBXIVRBLRXX3SXLSHHWOA"
}
-
Open Google Authenticator or any other Authenticator and click in Get started
-
Setup the SecretCode that you get with the above command.
-
Choose the Type of key dropdown list, and then select Time based.
-
For Account name, enter an account name. For example, BobPhone.
-
Verify the software token using the time-based password that appears on the screen and the following code
aws cognito-idp verify-software-token --access-token ACCESS_TOKEN --user-code AUTHETICATOR_CODE --friendly-device-name BobPhone
Output will look like the following
{
"Status": "SUCCESS"
}
- Configure the user's MFA configuration to TOTP MFA
aws cognito-idp admin-set-user-mfa-preference --software-token-mfa-settings Enabled=true,PreferredMfa=true --username Bob --user-pool-id us-east-1_123456789