3

If at user pool level MFA(TOTP) is enabled, for every user inside the pool MFA is by default enabled. I need to distinguish between users who have set up their MFA and users who still haven't set up the MFA. (setting up is registering the TOTP based authentication through apps like google authenticator etc)

To ascertain the above what I did was I tried to fetch the user object info using the GetUser API. If the response contains the "UserMFASettingList": [ "string" ] I presumed user has already set up the MFA but this approach failed at certain cases. e.g for a user who has not set up his MFA and he disables and then again enables the MFA he has the above property populated as well so checking for this property doesn't work. I have used the AdminSetUserMFAPreference API to achieve enable and disable.

Is there any explicit API or a method etc that can help me in determining how many users in a userpool have setup the MFA and how many haven't?

Shwetabh Shekhar
  • 2,608
  • 1
  • 23
  • 36

1 Answers1

1

Currently, there is no direct API to find the number of users that have MFA enabled or disabled. You could file a request for the same with AWS Support, they could convey the need to the developers of the service.

Unfortunately, you would have to write glitchy code using UserMFASettingList for the time being, as that's the only API flag Amazon provides for this requirement.

Since the existing APIs aren't satisfying your use-case, you could manually log the same using Lambda triggers during the Authentication Flow, if you have CUSTOM_AUTH enabled for your Authentication Engine. That would mean re-writing a lot of code and changing the entire flow of how auth works for your software(And porting users to the new Engine), but it could expedite the requirement of getting the number of users, and you can have your own OTP generator using AWS SNS and AWS Lambda, which could be made secure and reliable with a lot of veneers.

Arka Mukherjee
  • 2,083
  • 1
  • 13
  • 27