What is Amazon Cognito? 

Amazon Cognito is a simple user identity and data synchronization service that provides authentication, authorization, and user management, helping us securely manage app data across applications for our users.

Amazon Cognito allows us to control permissions for different user groups in our applications to ensure that they have appropriate access to back-end AWS resources.

Table of Content :

We have users configured in the amazon Cognito pool and Some users are enabled SMS MFA and some users enabled TOTP Software Token MFA.

If the Mobile device is lost, then both MFA login .ie SMA MFA and Software MFA will not work.

To work with such cases we need to reset the MFA for the Cognito users.

In the following example, we used Java SDK for Amazon Cognito to remove/reset MFA for the Cognito users.

Maven dependency 


    	<dependency>
		    <groupId>com.amazonaws</groupId>
		    <artifactId>aws-java-sdk-core</artifactId>
		    <version>1.11.764</version>
		</dependency>

			<dependency>
		    <groupId>com.amazonaws</groupId>
		    <artifactId>aws-java-sdk-cognitoidp</artifactId>
		    <version>1.11.764</version>
          </dependency>


		<dependency>
		    <groupId>com.amazonaws</groupId>
		    <artifactId>aws-java-sdk</artifactId>
		    <version>1.11.360</version>
		</dependency>

Create CognitoClient Instance 


  public static AWSCognitoIdentityProvider getAWSCognitoIdentityClient() {
	System.setProperty("aws.accessKeyId", "-- your accessKey Id--");//these are root account credentials
	System.setProperty("aws.secretKey", "-- your secret Key--");
	AWSCognitoIdentityProvider cognitoClient = AWSCognitoIdentityProviderClientBuilder.standard().withRegion(Regions.AP_SOUTH_1).withCredentials(new SystemPropertiesCredentialsProvider()).build();
	return client;
}

Remove/Reset the TOTP Token

We need to delete the entry of APP MFA from the google Authentication app if the TOTP Software Token MFA is enabled for the user. Then we have to set MFA preferences for the Cognito user as false.


public static void resetSoftwareMFA(String username){
AWSCognitoIdentityProvider client = getAWSCognitoIdentityClient();
				final SoftwareTokenMfaSettingsType sw = new SoftwareTokenMfaSettingsType().withEnabled(false)
						.withPreferredMfa(false);

				final AdminSetUserMFAPreferenceRequest adminsetusermfapreferencerequest = new AdminSetUserMFAPreferenceRequest()
						.withUsername(username).withSoftwareTokenMfaSettings(sw).withUserPoolId(userpoolId);

				client.adminSetUserMFAPreference(adminsetusermfapreferencerequest);
}

Reset SMS MFA

To reset SMS MFA we need to update the MFA preference as given below.


public static void resetSMSMFA(String username){
AWSCognitoIdentityProvider client = getAWSCognitoIdentityClient();
final SMSMfaSettingsType sMSMfaSettings = new SMSMfaSettingsType().withEnabled(false).withPreferredMfa(
						false);

				final AdminSetUserMFAPreferenceRequest adminsetusermfapreferencerequest = new AdminSetUserMFAPreferenceRequest()
				.withUsername(username).withSMSMfaSettings(sMSMfaSettings).withUserPoolId(userpoolId);

				client.adminSetUserMFAPreference(adminsetusermfapreferencerequest);
                }

In this article, we have seen  AWS Cognito Reset User MFA Using Java. All source code in the article can be found in the GitHub repository.