CognitoIdentityProvider / Client / verify_software_token

verify_software_token#

CognitoIdentityProvider.Client.verify_software_token(**kwargs)#

Registers the current user’s time-based one-time password (TOTP) authenticator with a code generated in their authenticator app from a private key that’s supplied by your user pool. Marks the user’s software token MFA status as “verified” if successful. The request takes an access token or a session string, but not both.

Note

Amazon Cognito doesn’t evaluate Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you can’t use IAM credentials to authorize requests, and you can’t grant IAM permissions in policies. For more information about authorization models in Amazon Cognito, see Using the Amazon Cognito user pools API and user pool endpoints.

Request Syntax

response = client.verify_software_token(
    AccessToken='string',
    Session='string',
    UserCode='string',
    FriendlyDeviceName='string'
)

Parameters:

AccessToken (string) – A valid access token that Amazon Cognito issued to the currently signed-in user. Must include a scope claim for aws.cognito.signin.user.admin.
Session (string) – The session ID from an AssociateSoftwareToken request.
UserCode (string) –
[REQUIRED]

A TOTP that the user generated in their configured authenticator app.
FriendlyDeviceName (string) – A friendly name for the device that’s running the TOTP authenticator.

Return type:

dict

Returns:

Response Syntax

{
    'Status': 'SUCCESS'|'ERROR',
    'Session': 'string'
}

Response Structure

(dict) –
- Status (string) –
  
  Amazon Cognito can accept or reject the code that you provide. This response parameter indicates the success of TOTP verification. Some reasons that this operation might return an error are clock skew on the user’s device and excessive retries.
- Session (string) –
  
  This session ID satisfies an MFA_SETUP challenge. Supply the session ID in your challenge response.