AWS IAM Identity Center (SSO) fails when a user tries to register a built-in MFA device

0

IAM IdentityCenter fails when a user tries to register a built-in MFA device. Since a few weeks, all users who try to register an MFA device with the built-in method (Windows Hello or TouchID) get the error:

"It's not you, it's us.

We couldn't complete your request right now. Please try again later."

The workflow worked fine before and the problem is given on all browsers.

From the CloudTrail a json parse error is tracked:

"[...]

"eventSource": "sso-directory.amazonaws.com",

"eventName": "CompleteWebAuthnDeviceRegistration",

[...]

"errorCode": "RegistrationFailedException",

"errorMessage": "PublicKeyCredentialJSON could not be parsed."

[...]"

Registration with other methods, e.g. Authenticator app, works fine.

Identity source is "Identity Center directory".

Has anyone come across this situation and have an steps for resolution? Could this be an IAM Identity center bug?

daniele
asked 9 months ago315 views
2 Answers
1

Hi Dan, According to the document (https://docs.aws.amazon.com/singlesignon/latest/userguide/mfa-types-keys.html), the built-in authenticator for TouchID or Windows Hello will use FIDO2 WebAuthn, but not all operating systems/browser versions support WebAuthn. Could you have a check to confirm your browser and operating system are supported by FIDO2 WebAuthn? Based on the link (https://www.w3.org/TR/webauthn-2/#sctn-sample-registration-with-platform-authenticator), you can try 2 functions on browser developer console to see if WebAuthn works:

  • window.PublicKeyCredential => is a function
  • PublicKeyCredential.isUserVerifyingPlatformAuthenticatorAvailable().then(console.log) => show "true"

According to my current test, I successfully register my Touch ID of IAM Identity Center on my macOS Ventura with Chrome browser, and I don't see the error:

"eventSource": "sso-directory.amazonaws.com",

"eventName": "CompleteWebAuthnDeviceRegistration",

...

"userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36",

"requestParameters": {

    "deviceId": "XXXXXXXXXXXXX",

    "publicKeyCredentialJSON": "HIDDEN_DUE_TO_SECURITY_REASONS"

...

AWS
answered 9 months ago
  • Hi Bard Lan, thanks for replying. As you suggested, the commands return the correct answers.

    The problem is present on every device, OS and browser tested:

    OS:

    • Windows 11
    • MacOS Ventura
    • Android

    Browser :

    • Firefox
    • Chrome
    • Edge

    The issue also occurs on the same devices and configurations that successfully registered MFA one month ago.

    I try also check the IAM Role related to SSO but I don't found any change.

    Could there be some misconfigured resource on the AWS account that could impact the MFA registration workflow?

    Regards.

  • The MFA registration you used is on the right top of the login page of AWS Identity Center (SSO), right? I didn't meet the issues you faced, maybe can you open a support ticket to have AWS technical support engineer to help you to figure out what's going on?

0

HI Bard Lan, yes you are saying right!

I don't have a support plan and it's hard for me to afford it.

However, I went deeper into the matter and compared the webauthn payloads between a working device (yes, I found one) with a broken one, and I notice that the 'attestationObject' attribute in json responses have totally different lengths, longer in the second case.

I believe at this point that the device uses an algorithm/format not yet supported by the AWS identity pool.

Also, the key is returned by the OS (TouchID or Windows Hello) so I think it mainly depends on the OS. At this point I think in the last period some update has been released that changes the behavior in the webauthn handshake.

daniele
answered 9 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions