Amplify-js: MFA can't be disabled

I actually was able to then able to submit another MFA challenge answer after that user.sendMFASelectionAnswer('SOFTWARE_TOKEN_MFA', () => {}) call with TOTP answer login now. This is very strange because this user should have MFA disabled. Getting preferred MFA type returns NOMFA

Also, I cannot disable SMS based MFA in my Cognito User Pool settings. It prevents me because of an SMS IAM role. I've deleted the IAM role and it still has that field filled in with the IAM role and says I can't disable SMS MFA because of that role (which actually no longer exists).

I also can not disable advanced security (or switch to audit only) because an error flashes about my roles still being created.

Also can not change Cognito pool settings at all now (because I thought removing my SMS role was a good idea).

Hi @tmaiaroto

I am labeling this as a service team issue and will share it with the cognito team

Thanks, yea, I'm starting to think it's more in the service than this library now.

To give you as much debug info/repro as I can, I looked further. I wanted to see if I could isolate and ensure it is not an issue with the Amplify JS library (or my JS code).

Trying outside of my application from the CLI with a command like (I'm omitting username, pool ids, etc.) cognito-idp admin-set-user-mfa-preference --software-token-mfa-settings Enabled=false,PreferredMfa=false and then issuing an admin-get-user just to double check - it shows "UserMFASettingList": [] as expected. So Cognito service itself will tell you there's no MFA enabled. Cool.

However, I'm still hit for the MFA {"ChallengeName":"SOFTWARE_TOKEN_MFA",... when trying to login at home here instead of work (the IP change raising the risk level).

Again, removing my code from the equation, I can also go to the hosted AWS Cognito signin page/form. It too will ask for the TOTP verification.

So it seems it can't be disabled. I do know the documentation says it's also not currently possible to disassociate/delete a TOTP device. Not sure if there's something related in there, but my concern here is how would I troubleshoot customer issues? A customer would very likely (oh come on, of course someone will haha) lose their TOTP app (new phone, whatever it may be --- or disable it thinking they no longer need it), trigger a risk level that puts them in the "optional MFA" category and then be locked out of their account. Again, since admin commands here from the CLI proved to do nothing, I literally could have users completely locked out.

I guess I could delete them and make them sign up again? Then sync their user ID to my database again, delete their old account, lose all the audit trail for security, etc. I guess perhaps possible, but there must be something I'm missing or some better work around if this is an issue.

Tomorrow I can run through it with SMS to see if it has the same problem as TOTP or not.

Anyway, hope this helps. Happy to work with whomever to provide any help or additional details that I can! Thanks!

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

This issue has been automatically closed because of inactivity. Please open a new issue if are still encountering problems.

How do I reset a users' MFA without being able to disable it? Was this an issue you were running into @tmaiaroto. I tried the aws cognito-idp admin-set-user-mfa-preference route but no luck there.

@tmaiaroto I suspect that the "Enable SMS MFA" button in the AWS Console is using a deprecated API (probably SetUserSettings). The "SMS MFA Status" field is likely to be also using the same deprecated field.

So do not use the "Enable SMS MFA" button. It will put the system into a state you can't change. Although, I haven't tried this, but maybe you can use the deprecated SetUserSettings API call to disable SMS MFA.

Testing using the SetUserMFAPreference and AdminSetUserMFAPreference works as advertised.

Why was this issue closed? It doesn't seem like there was a clear resolution. We are having a similar problem.

Same problem here, I cannot disable email verification:

MFA cannot be turned off if an SMS role is configured

@manueliglesias can you open a new issue as per https://github.com/aws-amplify/amplify-js/issues/2906#issuecomment-504684147 ? @tmaiaroto @camilobern @blasco ?

I'm curious if this ever gets resolved, but I'm not currently using AWS Amplify or Cognito.

Year later and this still hasn't been resolved...

Same problem, I think I will avoid using the CLI from now on as it automatically creates an SNS role which can't be removed from the user pool, even if you delete this role.

EDIT:

• amplify add auth
• go through all the config
• open the file backend/auth/<name>/<name>-cloudformation-template.yml
• remove SNSRole row in Resources and SmsConfiguration in Resources > UserPool > Properties
• amplify push

You can see there's no SNS role attached to your User Pool.

It's stuff like this that makes me lose faith in AWS. Really disappointing to see this being ignored for years.

Anyway, for any Googlers coming here. Depending on your use case you might be able to do the following:

1. set the user pool to MFA optional
2. when a user loses their MFA device, disable the user MFA preferences using the admin API:
   aws cognito-idp admin-set-user-mfa-preference --user-pool-id $USER_POOL_ID --username $USERNAME --software-token-mfa-settings Enabled=false,PreferredMfa=false
3. let the user log on using only their password. When they are authenticated, re-run the Software Token Setup flow with the AssociateSoftwareToken and VerifySoftwareToken API. This lets them associate a new "device" with their account.
4. after VerifySoftwareToken, call SetUserMfaPreference and set the Software Token to Enabled and Prefered.

Upon the next login attempt, the user will be asked for a verification code using the new SW token.
This can work if you have a small internal user base and you can make sure the time window between disabling MFA and registering the new device is sufficiently small. But really, this should work out of the box, AWS.

@vic-blt does not work even after removing from the .yml file and pushing.

@vic-blt does not work even after removing from the .yml file and pushing.

I've just tested and it worked.
Can you describe your issue ?

@vic-blt
MFA cannot be turned off if an SMS role is configured
I had removed the entire SNSRole and then removed SmsConfiguration in UserPool>Properties then pushed.

But getting the same error it cannot be disabled.