16

When using Cognito's forgotPassword function, I get a  'LimitExceededException' error if I try to run the forgot password method more than 5 times. 

Is there further documentation on this at this point?

This question brought up a similar point several years ago, but there was not guidance on any documentation. And this question brought up a similar issue, with comments noting in frustration there is no guidance on how long to wait.

I am hoping there is guidance available on:

How long does a user need to wait before trying it again? It's not helpful to my users to say "Please try again later", without any guidance on when. In my testing, I waited more than 30 minutes after, and the error still appears. This seems excessive for users. 

Can I add this protection to the signin process? (not just the reset password process). This security protection does not appear to occur in the case of signing in. There, I can enter an incorrect password multiple times without a "too many attempts" type warning. I'd assume that is an important security step.

SeanRtS
  • 1,005
  • 1
  • 13
  • 31

1 Answers1

7

According to https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-authentication-flow.html,

We allow five failed sign-in attempts. After that we start temporary lockouts with exponentially increasing times starting at 1 second and doubling after each failed attempt up to about 15 minutes. Attempts during a temporary lockout period are ignored. After the temporary lockout period, if the next attempt fails, a new temporary lockout starts with twice the duration as the last. Waiting about 15 minutes without any attempts will also reset the temporary lockout. Please note that this behavior is subject to change.

Big Pumpkin
  • 3,907
  • 1
  • 27
  • 18