AWS Cognito需要在配置中将以下标志“DO_NOTHING”更改为“MFA_REQUIRED”，以便强制要求联合用户进行MFA挑战。以下是Python Boto3的示例代码：

import boto3
client = boto3.client('cognito-idp')

client.update_user_pool_client(
   UserPoolId='your-user-pool-id',
   ClientId='your-client-id',
   ExplicitAuthFlows=[
       'ALLOW_ADMIN_USER_PASSWORD_AUTH',
   ],
   PreventUserExistenceErrors='ENABLED',
   SupportedIdentityProviders=[
       'COGNITO',
       'Google',
       'Facebook',
   ],
   CallbackURLs=[
       'https://your_callback_url',
   ],
   LogoutURLs=[
       'https://your_logout_url',
   ],
   DefaultRedirectURI='https://your_default_redirect_uri',
   AllowedOAuthFlowsUserPoolClient=True,
   AllowedOAuthFlows=[
       'code',
       'implicit',
   ],
   AllowedOAuthScopes=[
       'openid',
       'aws.cognito.signin.user.admin',
       'email',
   ],
   AnalyticsConfiguration={
       'ApplicationId': 'your_app_id',
       'RoleArn': 'your_role_arn',
       'ExternalId': 'your_external_id',
       'UserDataShared': True|False
   },
   PreventUserExistenceErrors=['ENABLED'|'LEGACY'],
   EnableTokenRevocation=True|False,
   TokenValidityUnits={
       'AccessToken': 'seconds',
       'IdToken': 'seconds',
       'RefreshToken': 'seconds'
   },
   IdTokenValidity=3600,
   AccessTokenValidity=3600,
   RefreshTokenValidity=1209600,
   ExplicitAuthFlows=['ADMIN_NO_SRP_AUTH'|'CUSTOM_AUTH_FLOW_ONLY'|'USER_PASSWORD_AUTH'],
   SupportedIdentityProviders=['COGNITO'|'Facebook'|'Google'|'LoginWithAmazon'|'OpenIdConnect'],
   UseDefaults=False,
   AllowAdminCreateUserOnly=True|False,
   ChallengeRequiredOnNewDevice=True|False,
   UsernameAttributes=[
       'phone_number'|'email',
   ],
   AutoVerifiedAttributes=[
       'phone_number'|'email',
   ],
   DeviceConfiguration={