-
Notifications
You must be signed in to change notification settings - Fork 2.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Is MFA always required after forgot password reset, even on remembered devices? #3364
Comments
If MFA challenge is not guaranteed to be presented after a password reset, can we use the message customization lambda or some other method to suppress the password reset email from being sent? Assume that the attacker is calling the password reset API from our Javascript app client Id, such as using the method cognitoUser.forgotPassword(). |
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
This issue has been automatically closed because of inactivity. Please open a new issue if are still encountering problems. |
This issue has been automatically locked since there hasn't been any recent activity after it was closed. Please open a new issue for related bugs. Looking for a help forum? We recommend joining the Amplify Community Discord server |
** Which Category is your question related to? **
Authentication
** What AWS Services are you utilizing? **
Cognito user Pools
** Provide additional details e.g. code snippets **
I have a user pool with optional MFA. My web app allows users to configure TOTP MFA. And the option to remember devices is selected (so TOTP challenge should arise only on new devices/browsers).
Consider an end user with verified email and TOTP MFA setup, but no verified phone number.
Anyone can make a password reset request with this user's username and get a reset code by email.
Expectation: If an attacker only has access to the user's email account but not the TOTP device they should not be able to login.
Issue: However if the attacker gets hold of the user's PC (but not the TOTP device) with the email account left open, they can get the password reset email. After changing the password, they can login - since the device is remembered. Or will an MFA challenge be presented even on a remembered device after a password reset? It will help to get documentation or an official confirmation that it will be asked.
The text was updated successfully, but these errors were encountered: