sendMFACode with TOTP returns SoftwareTokenMFANotFoundException

[jamie-digital]

I'm trying to sign in as a user with TOTP-based MFA enabled, in a UserPool with MFA optional and TOTP only.

• I register the user successfully, confirming their email.
• The user can sign in fine without MFA.
• The user enables MFA by calling cognitoUser.associateSoftwareToken to produce a new secret code, which the user adds to their TOTP device.
• The user then enters their code to cognitoUser.verifySoftwareToken, which successfully adds the new device.
• The next time the user signs in, the totpRequired callback is called to indicate that an MFA code is required. This also includes a Session parameter, which I store.
• The user enters their TOTP code, which is submitted to cognitoUser.sendMFACode(code, callbacks, "SOFTWARE_TOKEN_MFA"), with the Session set on cognitoUser.
• The SDK is calling the RespondToAuthChallenge API with the relevant parameters, but the server is responding with SoftwareTokenMFANotFoundException: Software Token MFA does not exist for the user.. The documentation indicates that this exception means that TOTP-based MFA is not enabled for the user pool, but the message suggests it's a problem with this specific user.

I'm happy to provide any more info that would be helpful. Thanks for your help.

[itrestian]

In case the MFA is optional, you need to also use setUserMfaPreference to set TOTP as enabled after verifying (it can be done with or without user input). This is use case 29 in the README.

[itrestian]

Closing this, feel free to reopen if necessary.

[jamie-digital]

Sorry, I meant to mention in my original message that I was calling setUserMfaPreference to enable and "prefer" TOTP after calling verifySoftwareToken. Without this, the totpRequired callback isn't called during signin. I don't think I can reopen the issue; sorry.

[jamie-digital]

@itrestian is it possible to reopen this? Thanks.

[itrestian]

Yes, sorry about that, I was pretty sure the missing step you had in your original description caused this. One question, are you using aliases?

[jamie-digital]

No, the User Pool uses the email address as the user ID, so you sign in with email and the account gets an auto-generated UUID.

[jamie-digital]

@itrestian I don't suppose there's any progress on this? I want to be able to turn on MFA but can't yet. Thanks

[itrestian]

We root caused the issue and are in the process of fixing it. Will update once the fix is deployed.

[jamie-digital]

Fantastic, thanks for all your work :)

[itrestian]

This is fixed.

This repo is archived but feel free to open an issue on the aws-amplify repo if it still an issue.