moonshinephoenix
commented
1 year ago I found out that when the phone number is verified sendMFACode works as expected and I can authenticate. Since https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-mfa-sms-text-message.html stated that 'When a user successfully goes through the SMS text message MFA flow, their phone number is also marked as verified.' I thought it was not necessary but i guess it is.
To avoid such a problem (the error message from cognito is extremely missleading) in future it would be good to do at least one of the following
- document that a verified phone number is highly recommended when activating SMS-MFA and changing attributes.
- reject activation if the number is not verified and reject editing phone_number attribute without disabeling SMS-MFA
- trigger attribute verification if necessary during MFA setup and when changing phone_number attribute.
furaiev
When sending a SMS-MFA code using sendMFACode authentication fails even when providing the correct code.
Providing the autogenerated GUID-like username instead of the email as USERNAME in the ChallengeResponse for the RespondToAuthChallenge request works like a charm. When looking at the SMS-MFA challenge the username was also provided in the GUID-like style and not an email. Maybe these values have to correspond. I did not find any information on this but trying to respond to a SOFTWARE_TOKEN_MFA challenge it workt with the GUID-like username as well as with the email.