En utilisant AWS re:Post, vous acceptez les AWS re:Post Conditions d’utilisation
AWS re:Postre:Post

Amazon Cognito hosted UI password reset code message

0

In the Cognito hosted UI "forgot your password" process, If a user enters a Username that does not exists the following message is shown. We have sent a password reset code by email to f***@y***.com. Enter it below to reset your password. where f*@y***.com** is a "fake" email address which looks to be made up using the username entered.

This is causing our support team issues as users think their code is being sent to a strange email address.

I explained what I think is going on is that the UI does not want to inform the user that their ID was not found (for security reasons) so it makes up a fake email address. I cannot seem to find any documentation on this. Can anyone point me to official Cognito documentation that explains this process?

Sujets
Sécurité, identité et conformité
Balises
Amazon Cognito
Langue
English
zebra2048
demandé il y a 2 ans1206 vues
1 réponse
0
Réponse acceptée

Hi,

You are right, this behavior is to protect Cognito customers from username enumeration risks. The behavior is highlighted in the managing error messages page and applied when prevent user existence error is enabled.

When you enable custom error responses, Amazon Cognito authentication APIs return a generic authentication failure response. The error response tells you the user name or password is incorrect. Amazon Cognito account confirmation and password recovery APIs return a response indicating a code was sent to a simulated delivery medium.

AWS
EXPERT
Mahmoud Matouk
répondu il y a 2 ans

Vous n'êtes pas connecté. Se connecter pour publier une réponse.

Une bonne réponse répond clairement à la question, contient des commentaires constructifs et encourage le développement professionnel de la personne qui pose la question.

Instructions pour répondre aux questions

Contenus pertinents