GetUserPoolMfaConfig
Given a user pool ID, returns configuration for sign-in with WebAuthn authenticators and for multi-factor authentication (MFA). This operation describes the following:
-
The WebAuthn relying party (RP) ID and user-verification settings.
-
The required, optional, or disabled state of MFA for all user pool users.
-
The message templates for email and SMS MFA.
-
The enabled or disabled state of time-based one-time password (TOTP) MFA.
Note
Amazon Cognito evaluates AWS Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.
Request Syntax
{
"UserPoolId": "string"
}Request Parameters
For information about the parameters that are common to all actions, see Common Parameters.
The request accepts the following data in JSON format.
- UserPoolId
-
The ID of the user pool where you want to query WebAuthn and MFA configuration.
Type: String
Length Constraints: Minimum length of 1. Maximum length of 55.
Pattern:
[\w-]+_[0-9a-zA-Z]+Required: Yes
Response Syntax
{
"EmailMfaConfiguration": {
"Message": "string",
"Subject": "string"
},
"MfaConfiguration": "string",
"SmsMfaConfiguration": {
"SmsAuthenticationMessage": "string",
"SmsConfiguration": {
"ExternalId": "string",
"SnsCallerArn": "string",
"SnsRegion": "string"
}
},
"SoftwareTokenMfaConfiguration": {
"Enabled": boolean
},
"WebAuthnConfiguration": {
"RelyingPartyId": "string",
"UserVerification": "string"
}
}Response Elements
If the action is successful, the service sends back an HTTP 200 response.
The following data is returned in JSON format by the service.
- EmailMfaConfiguration
-
Shows configuration for user pool email message MFA and sign-in with one-time passwords (OTPs). Includes the subject and body of the email message template for sign-in and MFA messages. To activate this setting, your user pool must be in the Essentials tier or higher.
Type: EmailMfaConfigType object
- MfaConfiguration
-
Displays the state of multi-factor authentication (MFA) as on, off, or optional. When
ON, all users must set up MFA before they can sign in. WhenOPTIONAL, your application must make a client-side determination of whether a user wants to register an MFA device. For user pools with adaptive authentication with threat protection, chooseOPTIONAL.When
MfaConfigurationisOPTIONAL, managed login doesn't automatically prompt users to set up MFA. Amazon Cognito generates MFA prompts in API responses and in managed login for users who have chosen and configured a preferred MFA factor.Type: String
Valid Values:
OFF | ON | OPTIONAL - SmsMfaConfiguration
-
Shows user pool configuration for SMS message MFA. Includes the message template and the SMS message sending configuration for Amazon SNS.
Type: SmsMfaConfigType object
- SoftwareTokenMfaConfiguration
-
Shows user pool configuration for time-based one-time password (TOTP) MFA. Includes TOTP enabled or disabled state.
Type: SoftwareTokenMfaConfigType object
- WebAuthnConfiguration
-
Shows user pool configuration for sign-in with passkey authenticators like biometric devices and security keys. Passkeys are not eligible MFA factors. They are instead an eligible primary sign-in factor for choice-based authentication, or the
USER_AUTHflow.Type: WebAuthnConfigurationType object
Errors
For information about the errors that are common to all actions, see Common Errors.
- InternalErrorException
-
This exception is thrown when Amazon Cognito encounters an internal error.
HTTP Status Code: 500
- InvalidParameterException
-
This exception is thrown when the Amazon Cognito service encounters an invalid parameter.
HTTP Status Code: 400
- NotAuthorizedException
-
This exception is thrown when a user isn't authorized.
HTTP Status Code: 400
- ResourceNotFoundException
-
This exception is thrown when the Amazon Cognito service can't find the requested resource.
HTTP Status Code: 400
- TooManyRequestsException
-
This exception is thrown when the user has made too many requests for a given operation.
HTTP Status Code: 400
Examples
Example
The following example request returns the MFA and WebAuthn configuration for the requested user pool.
Sample Request
POST HTTP/1.1
Host: cognito-idp.us-west-2.amazonaws.com
X-Amz-Date: 20230613T200059Z
Accept-Encoding: gzip, deflate, br
X-Amz-Target: AWSCognitoIdentityProviderService.GetUserPoolMfaConfig
User-Agent: <UserAgentString>
Authorization: AWS4-HMAC-SHA256 Credential=<Credential>, SignedHeaders=<Headers>, Signature=<Signature>
Content-Length: <PayloadSizeBytes>
{
"UserPoolId": "us-west-2_EXAMPLE"
}Sample Response
HTTP/1.1 200 OK
Date: Tue, 13 Jun 2023 20:00:59 GMT
Content-Type: application/x-amz-json-1.0
Content-Length: <PayloadSizeBytes>
x-amzn-requestid: a1b2c3d4-e5f6-a1b2-c3d4-EXAMPLE11111
Connection: keep-alive
{
"EmailMfaConfiguration": {
"Message": "Complete your sign-in: use {####}",
"Subject": "Your sign-in code"
},
"MfaConfiguration": "OPTIONAL",
"SmsMfaConfiguration": {
"SmsAuthenticationMessage": "Do not share this code with anyone. Your code is {####}.",
"SmsConfiguration": {
"ExternalId": "a1b2c3d4-5678-90ab-cdef-EXAMPLE11111",
"SnsCallerArn": "arn:aws:iam::123456789012:role/service-role/cognito-SMS-Role",
"SnsRegion": "us-west-2"
}
},
"SoftwareTokenMfaConfiguration": {
"Enabled": true
},
"WebAuthnConfiguration": {
"RelyingPartyId": "auth.example.com",
"UserVerification": "preferred"
}
}See Also
For more information about using this API in one of the language-specific AWS SDKs, see the following:
