Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Is MFA always required after forgot password reset, even on remembered devices? #3364

Closed
ak37165 opened this issue May 30, 2019 · 4 comments
Closed
Labels
Cognito Related to cognito issues question General question Service Team Issues asked to the Service Team

Comments

@ak37165
Copy link

ak37165 commented May 30, 2019

** Which Category is your question related to? **
Authentication

** What AWS Services are you utilizing? **
Cognito user Pools

** Provide additional details e.g. code snippets **
I have a user pool with optional MFA. My web app allows users to configure TOTP MFA. And the option to remember devices is selected (so TOTP challenge should arise only on new devices/browsers).

Consider an end user with verified email and TOTP MFA setup, but no verified phone number.

Anyone can make a password reset request with this user's username and get a reset code by email.

Expectation: If an attacker only has access to the user's email account but not the TOTP device they should not be able to login.

Issue: However if the attacker gets hold of the user's PC (but not the TOTP device) with the email account left open, they can get the password reset email. After changing the password, they can login - since the device is remembered. Or will an MFA challenge be presented even on a remembered device after a password reset? It will help to get documentation or an official confirmation that it will be asked.

@manueliglesias manueliglesias added Cognito Related to cognito issues question General question Service Team Issues asked to the Service Team labels May 31, 2019
@ak37165
Copy link
Author

ak37165 commented Jun 3, 2019

If MFA challenge is not guaranteed to be presented after a password reset, can we use the message customization lambda or some other method to suppress the password reset email from being sent? Assume that the attacker is calling the password reset API from our Javascript app client Id, such as using the method cognitoUser.forgotPassword().

@stale
Copy link

stale bot commented Jul 3, 2019

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

@stale
Copy link

stale bot commented Jul 10, 2019

This issue has been automatically closed because of inactivity. Please open a new issue if are still encountering problems.

@github-actions
Copy link

This issue has been automatically locked since there hasn't been any recent activity after it was closed. Please open a new issue for related bugs.

Looking for a help forum? We recommend joining the Amplify Community Discord server *-help channels or Discussions for those types of questions.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Jun 12, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
Cognito Related to cognito issues question General question Service Team Issues asked to the Service Team
Projects
None yet
Development

No branches or pull requests

2 participants