Usando AWS re:Post, accetti AWS re:Post Termini di utilizzo
AWS re:Postre:Post

Amazon Cognito hosted UI password reset code message

0

In the Cognito hosted UI "forgot your password" process, If a user enters a Username that does not exists the following message is shown. We have sent a password reset code by email to f***@y***.com. Enter it below to reset your password. where f*@y***.com** is a "fake" email address which looks to be made up using the username entered.

This is causing our support team issues as users think their code is being sent to a strange email address.

I explained what I think is going on is that the UI does not want to inform the user that their ID was not found (for security reasons) so it makes up a fake email address. I cannot seem to find any documentation on this. Can anyone point me to official Cognito documentation that explains this process?

Argomenti
Sicurezza, identità e conformità
Tag
Amazon Cognito
Lingua
English
zebra2048
posta 2 anni fa1206 visualizzazioni
1 Risposta
0
Risposta accettata

Hi,

You are right, this behavior is to protect Cognito customers from username enumeration risks. The behavior is highlighted in the managing error messages page and applied when prevent user existence error is enabled.

When you enable custom error responses, Amazon Cognito authentication APIs return a generic authentication failure response. The error response tells you the user name or password is incorrect. Amazon Cognito account confirmation and password recovery APIs return a response indicating a code was sent to a simulated delivery medium.

AWS
ESPERTO
Mahmoud Matouk
con risposta 2 anni fa

Accesso non effettuato. Accedi per postare una risposta.

Una buona risposta soddisfa chiaramente la domanda, fornisce un feedback costruttivo e incoraggia la crescita professionale del richiedente.

Linee guida per rispondere alle domande

Contenuto pertinente