I want to create a AWS::Cognito::UserPool with only the SOFTWARE_TOKEN_MFA enabled for MFA using a Cloudformation template. However when specifying only SOFTWARE_TOKEN_MFA as the enabled MFA (without any SMS), the configuration should be:

MfaConfiguration: 'ON'

EnabledMfas:

  - 'SOFTWARE_TOKEN_MFA'

I got below error:

“SMS configuration and Auto verification for phone_number are required when MFA is required/optional (Service: AWSCognitoIdentityProviderService; Status Code: 400; Error Code: InvalidParameterException; Request ID: xxxxxxxxxx; Proxy: null)”

I did a quick test using the console for creating a userpool with MFA-TOTP. I found 2 API calls (CreateUserPool, SetUserPoolMfaConfig) in CloudTrail events, after clicking create userpool button through the console.

From CloudFormation side, I found it appears mfaConfiguration being set to ON only works if the needed information for SMS verification is included in the original CreateUserPool API call.

From Cognito perspective, I noticed that currently Cognito does not support specifying MFA configuration when creating a user pool via Cloudformation. When you set MfaConfiguration as ON during CreateUserPool API, it assumes that you’re using SMS as MFA.

// Workaround

If you want to use TOTP without any SMS when creating a userpool, the workaround is to create the user pool without MFA and then use the set-user-pool-mfa operation to configure the user pool and set MFA to ON or OPTIONAL and only enable TOTP MFA. In short, please first create a user pool and then apply an update by adding MFA configuration.