Why doesn't Amazon Cognito send the verification code email or SMS text message with the ForgotPassword API call?

5 minute read

I want to know why Amazon Cognito didn't send a verification code email or short message service (SMS) text message. when I use the ForgotPassword API call.

Resolution

Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshooting errors for the AWS CLI. Also, make sure that you're using the most recent AWS CLI version.

Check the spam and junk folders

Make sure that the verification email doesn't go to the user's spam or junk folders.

Confirm that the user exists in the user pool

Confirm that the user exists in the Amazon Cognito user pool. To use the Amazon Cognito console to search for users in the user pool, see Managing and searching for user accounts. You can also use the AdminGetUser API call.

Check the user's status

Verify that the user's status isn't FORCE_CHANGE_PASSWORD.

Until users that administrators create sign in with the provided password, the user status is FORCE_CHANGE_PASSWORD by default.

If the user status is FORCE_CHANGE_PASSWORD, then the user can't use the ForgotPassword API call and doesn't receive the verification code. Instead, Amazon Cognito prompts the user to change their password.

Recover the user's AWS account

If you call the Forgot Password API when your username and phone number aren't verified, then you receive one of the following errors:

In the AWS CLI:
"An error occurred (InvalidParameterException) when calling the ForgotPassword operation: Cannot reset password for the user as there is no registered/verified email or phone_number"
In the Amazon Cognito console:
"Could not reset password for the account, please contact support or try again."

To recover the user's account, you must verify the user account configuration. Check whether the recovery message delivery method is email, phone, email only, phone only, phone if available, or none.

Complete the following steps:

Open the Amazon Cognito console.
Select the user pool.
Under Authentication, choose Sign-in.
In the User account recovery section, check the options under Recovery message delivery method. Then, confirm that the delivery method is a verified attribute for the user.
Confirm that the delivery method is a verified attribute for the user.

Users in the CONFIRMED status might not have a verified email or phone number for password recovery. When you select the verification check box to create accounts, you must verify the email and phone number of user accounts that an administrator created.

To resolve this issue, use one of the following methods to set your email and phone number’s verified status to true:

Update your user attributes

If you’re an administrator, then run the following AdminUpdateUserAttributes API call:

aws cognito-idp admin-update-user-attributes --user-attributes Name=example-verification-method,Value=true --user-pool-id example-userpoolID --username example-user-name

Note: Replace example-verification-method to email_verified or phone_number_verified, depending on the user’s recovery message delivery method. Replace example-userpoolID with your user pool’s ID, and example-user-name with the name of the user that wants to run the Forgot Password API call.

If you’re a user, then log in, and then run the following UpdateUserAttributes API call:

aws cognito-idp update-user-attributes --user-attributes Name=example-verification-method,Value=true --access-token example-access-token

Pre sign-up Lambda trigger
Use the pre sign-up Lambda trigger to set a user’s email and phone number attributes to verified.

SignUp
If you’re a user, then complete the following steps:

Run the following SignUP API call:

aws cognito-idp sign-up --client-id example-client-ID --username example-user-name

Note: Replace example-client-ID with the ID of the app client where you want. to sign up. Replace example-user-name with your username.

Note the Session value in the previous command's output.

Run the following ConfirmSignUp API call:

aws cognito-idp confirm-sign-up --client-id example-client-ID --username example-user-name --confirmation-code example-confirmation-code

Note: Replace example-client-ID with the ID of the app client where you want to sign up. Replace example-user-name with your username. Replace example-confirmation-code with the Session value that you noted in step 2.

If you're an administrator, then run the following AdminConfirmSignUp API call:

aws cognito-idp admin-confirm-sign-up --client-id example-client-ID --username example-user-name

Note: Replace example-client-ID with the ID of the app client. Replace example-user-name with the username.

Check the account spend limit for SMS messaging

Amazon Cognito uses Amazon Simple Notification Service (Amazon SNS) to deliver SMS text messages. If the account spend quota that you set exceeds your account spend limit, then Amazon SNS doesn't publish SMS messages.

To check or change the account spend limit, see Setting SMS messaging preferences using the AWS Management Console.

Check the Amazon SES quota

Amazon Cognito uses Amazon Simple Email Service (Amazon SES) to deliver emails. By default, Amazon Cognito allows a limited number of daily emails for your user pool. For more information, see Quotas on resource number and size.

To set a higher email delivery, you can configure your user pool to use your Amazon SES email configuration. For instructions, see Email settings for Amazon Cognito user pools.

Use the AdminSetUserPassword API call to reset the user password

Administrators can use the AdminSetUserPassword API call to set a user's password in an Amazon Cognito user pool as temporary or permanent. Users with temporary passwords must sign in and change the temporary password before it expires. After a user resets the temporary password, or the password is permanent, the status changes to CONFIRMED.

Related information

SMS delivery failure reasons

admin-get-user

AdminResetUserPassword

Topics: Security, Identity, & Compliance
Tags: Amazon Cognito
Language: English

AWS OFFICIALUpdated 10 months ago

1 Comment

Another reason is that the user's email or SMS is not verified. For instance, when you use the Admin Create User API without setting email_everified to true, the user is successfully created. However, even after logging in, the user's email or phone number remains unconfirmed. To resolve this, you must confirm the email or phone number using the Admin Confirm Signup API or a pre-sign-up Lambda trigger.

khacminh

replied a year ago

Relevant content

Cognito sending verification to wrong email even after email is verified
Paul
asked 2 years ago
Cognito verification sends code instead of link
User-6581553
asked 3 years ago
Cognito sends verification code even after changing verification message to link in the console
glago
asked 3 years ago
Cognito Email Verification Not Working
newman
asked 6 months ago
Cognito verification code emails no longer being sent
rePost-User-2670271
asked 4 years ago
How do I use the forgot password flow in Amazon Cognito?
AWS OFFICIALUpdated 3 years ago
How do I recover a user password in Amazon Cognito?
AWS OFFICIALUpdated 3 years ago
How do I configure origination ID to send SMS messages using Amazon Cognito?
AWS OFFICIALUpdated 3 years ago
How do I resolve email and SMS MFA delivery failures in Amazon Cognito?
AWS OFFICIALUpdated 18 days ago
How can I use SES V2 API send email with attachment?
EXPERT
Tyler
published a year ago