Passwordless Cognito with SMS MFA

Question

First, have seen:

https://github.com/amazon-archives/amazon-cognito-identity-js/issues/228
https://github.com/aws/amazon-cognito-auth-js/issues/18
AWS Cognito User Pool without a password : This solution seems overengineered, generating, storing, referencing user passwords in dynamodb or implementing SMS MFA manually

and definitely the fine examples by Buggy@Github over at: https://github.com/buggy/project-x-server/tree/master/shopify/src

However, all passwordless flows I've seen so far seem to also use custom auth, like captcha. I'm looking to use AWS's built-in SMS MFA, which has otherwise been working great for me.

Using:

Amplify
React (vanilla)

Things that work:

Login with phonenumber and password, with confirmation code. Ie, this:

const user = await Auth.signIn(this.state.phoneNumber, this.state.password)
...then...
const data = await Auth.confirmSignIn(this.state.user, this.state.confirmationCode, 'SMS_MFA');

Passwordless login without any MFA, using a Preauthentication Lambda trigger (obviously not a viable solution):
```
event.response.issueTokens = true;
event.response.failAuthentication = false;
```

The Problem: When I try to log in to a user account sending just the username like this:

const user = await Auth.signIn(this.state.phoneNumber)

Amplify gives the (misspelled) error message:

null failed with error Generate callenges lambda cannot be called..

That is with no lambda triggers set for the user pool.

If I set a defineAuthChallenge trigger that includes the following:

event.response.issueTokens = true;
event.response.failAuthentication = false;

It, of course, just logs me in without MFA. But if I set issueTokens to false, the auth flow fails, and I get an error from amplify on the next page load about missing an ID Token.

If I set event.response.challengeName = 'SMS_MFA', the errors go away, but the SMS doesn't get sent, and I don't authenticate.

Is there a way to (a) actually set SMS MFA as my 'custom challenge' in a way that works? (b) better yet, not use any lambda triggers at all and get amplify & the user pool to go along without passwords?

As it stands, the only workarounds I can see:

implement SMS MFA manually (no thanks)
hard-code passwords for users on the client side for signup and signin

score 0 · Answer 1 · answered Sep 24 '18 at 02:34

I've implemented passwordless Cognito by:

Setting refresh token expiration to a really long time
When user signs up, generate a throwaway password and use the regular Cognito signUp API to create the user
Never store or show the user the throwaway password - rely on Cognito session refresh to keep user "logged in"
If refresh token expires or something else goes wrong, abuse the Cognito reset password flow by sending the user a verification code and generating another throwaway password.

This has worked for us, but it is kind of hacky. However it doesn't rely on any custom triggers and uses the regular Cognito client APIs. Have not tried it with MFA though

I understand what you are saying here. However, let's take the following steps: (1.) Call Cognito signUp API with temp password (2.) At this point, the user can be UNCONFIRMED (3.) User receives verification code (4.) User inputs verification code 5. User becomes CONFIRMED. Now, we can sign in the user. We take the user verification code and use the temp password to authenticate the user. We must store the password we generated in step #1 to retrieve it in step #5. How are you bypassing that? — MoMo, Feb 01 '20 at 00:16

Jimmy_m · Answer 2 · 2019-03-21T21:16:07.727

0

Might be useful: Password-free SMS Authentication with AWS Cognito, Lambda Node.js & iOS Swift

It suggests using SNS directly instead of via Cognito's MFA.

edited Mar 21 '19 at 21:16

answered Mar 21 '19 at 21:04

Jimmy_m

1,568
20
24

3

That link is not available anymore. Do you have anything similar? Thanks. – Ricardo Dec 09 '19 at 15:58

Passwordless Cognito with SMS MFA

2 Answers2