SetUserPoolMfaConfig
Sets the user pool multi-factor authentication (MFA) and passkey configuration.
Note
This action might generate an SMS text message. Starting June 1, 2021, US telecom carriers
require you to register an origination phone number before you can send SMS messages
to US phone numbers. If you use SMS text messages in Amazon Cognito, you must register a
phone number with Amazon Pinpoint
If you have never used SMS text messages with Amazon Cognito or any other AWS service, Amazon Simple Notification Service might place your account in the SMS sandbox. In sandbox mode , you can send messages only to verified phone numbers. After you test your app while in the sandbox environment, you can move out of the sandbox and into production. For more information, see SMS message settings for Amazon Cognito user pools in the Amazon Cognito Developer Guide.
Request Syntax
{
"EmailMfaConfiguration": {
"Message": "string
",
"Subject": "string
"
},
"MfaConfiguration": "string
",
"SmsMfaConfiguration": {
"SmsAuthenticationMessage": "string
",
"SmsConfiguration": {
"ExternalId": "string
",
"SnsCallerArn": "string
",
"SnsRegion": "string
"
}
},
"SoftwareTokenMfaConfiguration": {
"Enabled": boolean
},
"UserPoolId": "string
",
"WebAuthnConfiguration": {
"RelyingPartyId": "string
",
"UserVerification": "string
"
}
}
Request Parameters
For information about the parameters that are common to all actions, see Common Parameters.
The request accepts the following data in JSON format.
- EmailMfaConfiguration
-
Configures user pool email messages for MFA. Sets the subject and body of the email message template for MFA messages. To activate this setting, your user pool must be in the Essentials tier or higher.
Type: EmailMfaConfigType object
Required: No
- MfaConfiguration
-
The MFA configuration. If you set the MfaConfiguration value to ‘ON’, only users who have set up an MFA factor can sign in. To learn more, see Adding Multi-Factor Authentication (MFA) to a user pool. Valid values include:
-
OFF
MFA won't be used for any users. -
ON
MFA is required for all users to sign in. -
OPTIONAL
MFA will be required only for individual users who have an MFA factor activated.
Type: String
Valid Values:
OFF | ON | OPTIONAL
Required: No
-
- SmsMfaConfiguration
-
Configures user pool SMS messages for MFA. Sets the message template and the SMS message sending configuration for Amazon SNS.
Type: SmsMfaConfigType object
Required: No
- SoftwareTokenMfaConfiguration
-
Configures a user pool for time-based one-time password (TOTP) MFA. Enables or disables TOTP.
Type: SoftwareTokenMfaConfigType object
Required: No
- UserPoolId
-
The user pool ID.
Type: String
Length Constraints: Minimum length of 1. Maximum length of 55.
Pattern:
[\w-]+_[0-9a-zA-Z]+
Required: Yes
- WebAuthnConfiguration
-
The configuration of your user pool for passkey, or webauthN, authentication and registration. You can set this configuration independent of the MFA configuration options in this operation.
Type: WebAuthnConfigurationType object
Required: No
Response Syntax
{
"EmailMfaConfiguration": {
"Message": "string",
"Subject": "string"
},
"MfaConfiguration": "string",
"SmsMfaConfiguration": {
"SmsAuthenticationMessage": "string",
"SmsConfiguration": {
"ExternalId": "string",
"SnsCallerArn": "string",
"SnsRegion": "string"
}
},
"SoftwareTokenMfaConfiguration": {
"Enabled": boolean
},
"WebAuthnConfiguration": {
"RelyingPartyId": "string",
"UserVerification": "string"
}
}
Response Elements
If the action is successful, the service sends back an HTTP 200 response.
The following data is returned in JSON format by the service.
- EmailMfaConfiguration
-
Shows user pool email message configuration for MFA. Includes the subject and body of the email message template for MFA messages. To activate this setting, your user pool must be in the Essentials tier or higher.
Type: EmailMfaConfigType object
- MfaConfiguration
-
The MFA configuration. Valid values include:
-
OFF
MFA won't be used for any users. -
ON
MFA is required for all users to sign in. -
OPTIONAL
MFA will be required only for individual users who have an MFA factor enabled.
Type: String
Valid Values:
OFF | ON | OPTIONAL
-
- SmsMfaConfiguration
-
Shows user pool SMS message configuration for MFA. Includes the message template and the SMS message sending configuration for Amazon SNS.
Type: SmsMfaConfigType object
- SoftwareTokenMfaConfiguration
-
Shows user pool configuration for time-based one-time password (TOTP) MFA. Includes TOTP enabled or disabled state.
Type: SoftwareTokenMfaConfigType object
- WebAuthnConfiguration
-
The configuration of your user pool for passkey, or webauthN, biometric and security-key devices.
Type: WebAuthnConfigurationType object
Errors
For information about the errors that are common to all actions, see Common Errors.
- ConcurrentModificationException
-
This exception is thrown if two or more modifications are happening concurrently.
HTTP Status Code: 400
- FeatureUnavailableInTierException
-
This exception is thrown when a feature you attempted to configure isn't available in your current feature plan.
HTTP Status Code: 400
- InternalErrorException
-
This exception is thrown when Amazon Cognito encounters an internal error.
HTTP Status Code: 500
- InvalidParameterException
-
This exception is thrown when the Amazon Cognito service encounters an invalid parameter.
HTTP Status Code: 400
- InvalidSmsRoleAccessPolicyException
-
This exception is returned when the role provided for SMS configuration doesn't have permission to publish using Amazon SNS.
HTTP Status Code: 400
- InvalidSmsRoleTrustRelationshipException
-
This exception is thrown when the trust relationship is not valid for the role provided for SMS configuration. This can happen if you don't trust
cognito-idp.amazonaws.com
or the external ID provided in the role does not match what is provided in the SMS configuration for the user pool.HTTP Status Code: 400
- NotAuthorizedException
-
This exception is thrown when a user isn't authorized.
HTTP Status Code: 400
- ResourceNotFoundException
-
This exception is thrown when the Amazon Cognito service can't find the requested resource.
HTTP Status Code: 400
- TooManyRequestsException
-
This exception is thrown when the user has made too many requests for a given operation.
HTTP Status Code: 400
See Also
For more information about using this API in one of the language-specific AWS SDKs, see the following: