Introduction
If you’ve built authentication using AWS Cognito Hosted UI, you’ve likely appreciated its simplicity for user management, login, and multi-factor authentication (MFA).
But there’s one frustrating limitation developers often discover too late:
There’s no official AWS SDK method to reset a user’s MFA (TOTP) once it’s enabled.
When a user loses access to their authenticator app, you can’t simply “reset” MFA. Let’s explore why this happens, what AWS says about it, and the practical solution I implemented.
Why AWS Doesn’t Allow Resetting MFA (According to AWS)
This limitation is not a bug, it’s by design.
AWS has stated in multiple support cases and developer forum responses that MFA reset through the SDK is intentionally blocked for security and compliance reasons.
Here’s why:
- The MFA secret is encrypted and permanently tied to the user’s identity.
- Allowing silent resets would weaken MFA integrity, as an attacker or admin could remove MFA without user consent.
- AWS prioritizes security consistency across all authentication flows (Hosted UI, SDK, and CLI).
My Working Solution: Delete and Recreate the User
After researching and testing multiple approaches, the only reliable way to reset MFA in AWS Cognito Hosted UI is to delete and recreate the user.
Step-by-Step Solution
Retrieve the user’s attributes:
$user = $cognitoClient->adminGetUser([
'UserPoolId' => $userPoolId,
'Username' => $username,
]);Delete the existing user:
$cognitoClient->adminDeleteUser([
'UserPoolId' => $userPoolId,
'Username' => $username
]);Recreate the user:
$cognitoClient->adminCreateUser([
'UserPoolId' => $userPoolId,
'Username' => $username
]);Ask the user to re-register MFA via the AWS Cognito Hosted UI.
When the user logs in again, Cognito will prompt them to configure MFA from scratch — effectively resetting their TOTP secret.
