Complete a 3 Question Survey and Earn a re:Post Badge

Help improve AWS Support Official channel in re:Post and share your experience - complete a quick three-question survey to earn a re:Post badge!

Why doesn't Amazon Cognito send the verification code email or SMS text message with the ForgotPassword API?

4 minute read

I used the ForgotPassword API call to reset my password. But, Amazon Cognito didn't send the verification code email or SMS text message.

Resolution

Check the spam and junk folders

Make sure that the verification email doesn't go to the user's spam or junk folders.

Confirm that the user exists in the user pool

Confirm that the user exists in the Cognito user pool. To use the Cognito console to search for users in the user pool, see Managing and searching for user accounts. You can also use the AdminGetUser API.

Check the user status

Until users that administrators create sign in with the provided password, the user status is FORCE_CHANGE_PASSWORD by default.

If the user status is FORCE_CHANGE_PASSWORD, then users can't use the ForgotPassword API and they don't receive the verification code. Instead, Cognito prompts users to change their password.

Check how the user can recover the account

Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshooting errors for the AWS CLI. Also, make sure that you're using the most recent AWS CLI version.

To recover the account, you must verify the user account configuration. Check whether the recovery message delivery method is email, phone, email only, phone only, phone if available, or none.

Complete the following steps:

Open the Cognito console.
Select the user pool.
Under Authentication, choose Sign-in.
In the User account recovery section, check the options under Recovery message delivery method. Then, confirm that the delivery method is a verified attribute for the user.

Users in the CONFIRMED status might not have a verified email or phone number for password recovery. When you select the verification check box to create accounts, you must verify the email and phone number of user accounts that an administrator created. Administrators can use the AdminUpdateUserAttributes API call to mark the email and phone number as verified.

To set a user's email address as verified, run the following admin-update-user-attributes AWS CLI command and specify email_verified:

aws cognito-idp admin-update-user-attributes --user-pool-id example-userpool-id --username example-username --user-attributes 
Name=email_verified,Value=true --region example-region

Note: Replace example-userpool-id, example-username, and example-region with your values.

To set a user's phone number as verified, run the following admin-update-user-attributes command and specify phone_number_verified:

aws cognito-idp admin-update-user-attributes --user-pool-id example-userpool-id --username example-username --user-attributes 
Name=phone_number_verified,Value=true --region example-region

Note: Replace example-userpool-id, example-username, and example-region with your values.

Check the Amazon SNS quota

Cognito uses Amazon Simple Notification Service (Amazon SNS) to deliver SMS text messages. The default Amazon SNS spend quota for accounts is $1.00 (USD) per month. To check or change the account spend quota, see Setting SMS messaging preferences using the AWS Management Console.

Important: If the account spend quota that you set exceeds your service quota, then SNS doesn't publish SMS messages.

For quota increases, see Requesting increases to your monthly Amazon SNS SMS spending quota.

Check the Amazon SES quota

Cognito uses Amazon Simple Email Service (Amazon SES) to deliver emails. By default, Cognito allows a limited number of daily emails for your user pool. For more information, see Quotas on resource number and size.

To set a higher email delivery, you can configure your user pool to use your Amazon SES email configuration. For instructions, see Email settings for Amazon Cognito user pools.

Reset the user password using the AdminSetUserPassword API

Administrators can use the AdminSetUserPassword API to set a user's password in a Cognito user pool as temporary or permanent. Users with temporary passwords must sign in and change the temporary password before it expires. After a user resets the temporary password, or the password is permanent, the status changes to CONFIRMED.

Related information

SMS delivery failure reasons

admin-get-user

AdminResetUserPassword

Topics

Security, Identity, & Compliance

Relevant content

Cognito sending verification to wrong email even after email is verified
Paul
asked a year ago
Cognito sends verification code even after changing verification message to link in the console
glago
asked 2 years ago
Cognito verification sends code instead of link
rePost-User-3603014
asked 2 years ago
Why can't I send a verification Email Link in AWS Cognito?
Gio
asked 9 months ago
customization of the forgot password email
Accepted Answer
rePost-User-0179626
asked 2 years ago
How do I use the forgot password flow in Amazon Cognito?
AWS OFFICIALUpdated 2 years ago
How do I recover a user password in Amazon Cognito?
AWS OFFICIALUpdated 2 years ago
How do I configure origination ID to send SMS messages using Amazon Cognito?
AWS OFFICIALUpdated 2 years ago
How do I troubleshoot issues with sending email messages in Amazon Cognito with default email settings compared to Amazon SES?
AWS OFFICIALUpdated 2 years ago
AWS re:Post Knowledge Center Spotlight: Amazon Cognito
EXPERT
Henry Fuentes Jr
published a year ago