Amazon Cognito hosted UI password reset code message


In the Cognito hosted UI "forgot your password" process, If a user enters a Username that does not exists the following message is shown. We have sent a password reset code by email to f***@y***.com. Enter it below to reset your password. where f*@y***.com** is a "fake" email address which looks to be made up using the username entered.

This is causing our support team issues as users think their code is being sent to a strange email address.

I explained what I think is going on is that the UI does not want to inform the user that their ID was not found (for security reasons) so it makes up a fake email address. I cannot seem to find any documentation on this. Can anyone point me to official Cognito documentation that explains this process?

asked 2 years ago979 views
1 Answer
Accepted Answer


You are right, this behavior is to protect Cognito customers from username enumeration risks. The behavior is highlighted in the managing error messages page and applied when prevent user existence error is enabled.

When you enable custom error responses, Amazon Cognito authentication APIs return a generic authentication failure response. The error response tells you the user name or password is incorrect. Amazon Cognito account confirmation and password recovery APIs return a response indicating a code was sent to a simulated delivery medium.

answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions