Unable to enable TOTP MFA when already setup using login with both email and phone

[harsh62]

Environment information

System:
  OS: macOS 14.4.1
  CPU: (10) arm64 Apple M1 Pro
  Memory: 161.22 MB / 16.00 GB
  Shell: /bin/zsh
Binaries:
  Node: 21.7.3 - /usr/local/bin/node
  Yarn: 1.22.21 - /opt/homebrew/bin/yarn
  npm: 10.5.0 - /usr/local/bin/npm
  pnpm: undefined - undefined
NPM Packages:
  @aws-amplify/backend: 1.0.0
  @aws-amplify/backend-cli: 1.0.1
  aws-amplify: 6.3.0
  aws-cdk: 2.140.0
  aws-cdk-lib: 2.140.0
  typescript: 5.4.5
AWS environment variables:
  AWS_STS_REGIONAL_ENDPOINTS = regional
  AWS_NODEJS_CONNECTION_REUSE_ENABLED = 1
  AWS_SDK_LOAD_CONFIG = 1
No CDK environment variables

Description

1. Create user pool with

export const auth = defineAuth({
  loginWith: {
    phone: true,
    email: true,
  },
})

and run npx ampx sandbox.

2. Then enable TOTP MFA as follows:

export const auth = defineAuth({
  loginWith: {
    phone: true,
    email: true,
  },
  multifactor: {
    mode: 'OPTIONAL',
    totp: true
  }
})

and run npx ampx sandbox.

Observe that you get an error Can't turn off SMS_MFA when SMS configuration is set for the user pool

amplify-gen2docstesting-hsinghvq-sandbox-ee1b753139-auth179371D7-17YEFXCJ1KB5V |   0 | 6:23:40 p.m. | UPDATE_FAILED        | AWS::Cognito::UserPool     | auth/amplifyAuth/UserPool (amplifyAuthUserPool4BA7F805) Resource handler returned message: "Invalid request provided: Can't turn off SMS_MFA when SMS configuration is set for the user pool with a required or optional MFAConfiguration." (RequestToken: 46ffc05a-6dd8-72c8-5a36-1f3a93d2ee3a, HandlerErrorCode: InvalidRequest)

From this I am inferring, that sms gets sent as false , thats why its trying to turn it off.
Since nothing was mentioned about sms, MFA config should remain unchanged, rather assuming a false value.

Expected behaviour:
Should be able to add TOTP MFA.

[ykethan]

Hey @harsh62, thank you for reaching for reaching out. I was able to reproduce the issue, marking as bug for further investigation.

but did notice, if i set the sms:true, the sandbox does deploy with errors.

import { defineAuth } from "@aws-amplify/backend";
/**
 * Define and configure your auth resource
 * @see https://docs.amplify.aws/gen2/build-a-backend/auth
 */
export const auth = defineAuth({
  loginWith: {
    email: true,
    phone: true,
  },
  multifactor: {
    mode: "OPTIONAL",
    totp: true,
    sms: true,
  },
});

similar issue on cdk lib: aws/aws-cdk#11478 (comment)