3

I'm using ASW Cognito for authenticating users. Cognito has a well-documented flow to handle users who have forgotten their passwords.

How do I handle users who have forgotten their usernames? Is there a built-in flow that lets the user enter their email or phone number, and then receive an email or text with their associated username? I found the ListUser API, which returns all the users in a userpool. I could write a Lambda function that filters through all my users, looking for a match on email or phone number. But this seems like overkill.

Shouvik
  • 157
  • 10

2 Answers2

3

Unfortunately, there is no default out of the box workflow of "Forgot Username".

I am implementing similar workflow. We ask user for their registered phone number/email, and we retrieve username based on that number and send it to email/phone according to configuration. If user is configured to use email and phone both, we send SMS to phone if user forget username (which is email id they used during sign up).

One major drawback of this approach is that, we need to provide ListUsers API call access to anonymous user which is a potential security issue but can't seem to find any other way by which we inform user about their login details.

Niraj Bhatt
  • 91
  • 4
  • Are you using AWS SES and SNS service to send username with custom message over email and phone? If possible can you share code snippet? – Harsh Kanakhara Mar 22 '21 at 11:17
2

For those, who are looking for the solution, don't give the anonymous user access to ListUser API as suggested in the accepted answer.

There are two ways to implement 'Forgot username flow'.

  1. Enable email as an alias for your Cognito User Pool:

Calling this API causes a message to be sent to the end user with a confirmation code that is required to change the user's password. For the Username parameter, you can use the username or user alias. The method used to send the confirmation code is sent according to the specified AccountRecoverySetting.

https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_ForgotPassword.html

The user will be able to reset the password with their email and code delivered to provided email address. If you still want to remind the username, you can use Lambda trigger to generate the password reset email with both username and verification code.

  1. Use the backend (web server or lambda) which will receive the email address as an input to the 'Forgot username flow'. The backend will have permissions to invoke List Users API (https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_ListUsers.html) and will perform user lookup using the email. You now can go into Forgot Password flow using the retrieved username. Lambda trigger will be used to generate password reset email with username and verification code.

You can protect this API from abuse using WAF and/or captcha.

Andriy Kharchuk
  • 1,165
  • 1
  • 13
  • 25