What should be the correct login process after enabling MFA if the user has not specified a phone number in advance?
Hosted UI (or Managed Login) flow looks like this:
- user enter login and password
- user select sms method
- user enter phone number
- user enter code from phone
- log in, add verify phone number and set SMS as default MFA method
How can I reproduce this flow with boto3?
My current temprorary boto3 flow:
- user enter login and password
initiate_auth - return MFA_SETUP session
- user select sms method
- user enter phone number
admin_update_user_attributes - set phone
admin_set_user_mfa_preference - set sms mfa
initiate_auth with the login and password previously saved as url parameters (not the best solution) - return SMS_MFA session
- user enter code from phone
respond_to_auth_challenge with SMS_MFA - return tokens and verify phone
In this solution I need to add phone before it verification, which is not the best option. While with Hosted UI the phone is added and verified only after entering the code.
How can I reproduce a solution similar to Hosted UI?
