Administrators can enroll, remove, and view TOTP authenticators for each of their users within the AWS SSO administrator portal. Alternatively, administrators can enable users to self-enroll within the user portal to speed up the enrollment process and reduce user friction.
Administrators can also enable context-aware mode, allowing users to easily sign-in with their username and password for most logins, but are prompted for TOTP generated passcodes only when their sign-in context changes, such as an unknown device or location. For increased security or compliance requirements, you can choose always-on mode to prompt for TOTP generated passcodes at every sign-in.
https://aws.amazon.com/about-aws/whats-new/2019/10/increase-aws-single-sign-on-security-with-multi-factor-authentication-using-authenticator-apps/