I am setting up Amazon Cognito for authentication to use a Kibana instance. I only permit administrators to create users, and I permit only the Cognito User Pool identity provider. When creating the user pool, I set Multi-Factor Authentication to "required" and enabled only the "Time-based One-time Password" option. I use an Amazon Cognito domain for the sign-in page.
When I create a Cognito user from the AWS Console, I send the invitation by email. When going to the Kibana URL, the server redirects to the Cognito sign-in page as expected. After login with the temporary password in the email, the user is required to change the password, then attempt login again.
The problem is that MFA is required, but the user has no opportunity to set up a TOTP application. I would have expected TOTP setup to follow the required password change. Instead, Cognito rejects the login for not having MFA enabled:
You must have multi-factor authentication (MFA) set up to sign in. Please set up MFA and try again.
Managing the user in the AWS Console shows an option to enable SMS MFA. But, I'm not using SMS.
The TOTP Software Token MFA documentation states:
When your user chooses TOTP software token MFA, call AssociateSoftwareToken to return a unique generated shared secret key code for the user account. The request for this API method takes an access token or a session string, but not both. As a convenience, you can distribute the secret key as a quick response (QR) code.
But that sounds like I need to make an API call somehow after the user "chooses" TOTP. I'm not writing my own application that could make the API call -- this authentication is only for accessing the Kibana instance provided with Amazon Elasticsearch Service.
How can users initialize TOTP so they can use it to complete login as required?
