3

We have an application using AWS Cognito (+ hosted web UI) where users are only created by administrators. MFA with SMS is required. This is our current flow for new users:

  1. Admin creates a new user using AdminCreateUser of aws-sdk. Email, name and phone number are given.
  2. A new account is created with FORCE_CHANGE_PASSWORD status. Username and a temporary password are sent to the user via email.
  3. User signs in for the first time with the temporary password.
  4. Cognito asks for a new password.
  5. User sets their new password and proceeds to log in.
  6. MFA code is sent to user via SMS. However, Cognito does not ask for the MFA code. User simply gets logged in. Account status is now CONFIRMED but phone_number_verified is not set.

However, the MFA challenge works fine starting from the second login. In other words, user's phone number only gets verified if they manage to log in for the second time. This means that a user who forgets their password after the initial login is unable to reset their password (as it requires a verified phone number).

Any idea why this is happening and what settings should I look into? I'm aware I can avoid the main problem by programmatically setting phone_number_verified as true, but I'd like to know why the MFA challenge fails on first login.

msarakon
  • 240
  • 1
  • 6
  • did u find any solution to this ? – Renaldo Balaj Oct 07 '20 at 16:16
  • @RenaldoBalaj My workaround was to programmatically set `phone_number_verified` as `true` on registration. It's not a good solution (since the phone number is not actually verified at that point) but users that have only logged in once can now reset their passwords so it's better than the previous situation. Our "real" solution is to switch from Cognito to a proper IDM :) – msarakon Oct 08 '20 at 18:44

1 Answers1

0

I've been really disappointed in the AWS hostsed auth UI. It's ugly and very limited. As you've discovered, for example, it doesn't handle MFA at all.

The best alternative I've found is to use the Authenticator Amplify UI component. It's possible to use Amplify UI without using the Amplify CLI or hosting your site on AWS, so it's pretty well a drop-in solution. Authenticator handles setting up software TOTP tokens and the TOTP challenge as needed. I haven't used it for SMS, but this page implies it's supported.

You can learn how to use Amplify UI components standalone (without the CLI and AWS hosting) in this StackOverflow answer.

Nick K9
  • 3,885
  • 1
  • 29
  • 62