Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Forgot Password flow issue with Email and TOTP as MFA

0

Hello,

We are facing an issue with the Account Recovery flow while using Cognito User Pools. Cognito is set to use 2 ways of MFA (TOTP and Email) which is set as required and working as expected. If the user has registered for TOTP using the authenticator app, then the account recovery flow is working as expected and we receive the recovery code via email. Until then, when trying to use the account recovery flow, the user is not able to receive the recovery code via email as Cognito throws the following exception: "Amazon.CognitoIdentityProvider.Model.InvalidParameterException: Cannot reset password for the user as there is no registered/verified email or phone_number".

We have checked the user pool settings and the user is verified and has a verified email address.

We are using the following request to trigger the account recovery flow: ForgotPasswordAsync(CancellationToken cancellationToken) provided by the SDK.

Could you please help us resolve this issue?

Thank you

Topics
Security, Identity, & Compliance
Tags
Amazon CognitoAmazon Cognito User Pools
Language
English
asked 10 months ago273 views
1 Answer
-2

This issue appears to be related to how Amazon Cognito handles password recovery when MFA is configured with both Email and TOTP options.

When a user has Email MFA enabled, Cognito cannot use the same email address for password recovery. This is by design - users can't receive MFA and password reset codes at the same email address or phone number. If they use one-time passwords (OTPs) from email messages for MFA, they must use SMS messages for account recovery.

In your case, when users have configured TOTP as their MFA method, the password recovery works correctly because Cognito can send the recovery code to their email. However, when users are using Email as their MFA method, Cognito cannot send the recovery code to the same email address, resulting in the error you're seeing.

To resolve this issue, you have a few options:

  1. Ensure users have both email and phone number attributes set. When users have both attributes, Amazon Cognito automatically sends password-reset codes to the destination that is not the user's MFA factor.

  2. Make both email and phone_number attributes required in your user pool configuration to prevent this situation.

  3. Consider disabling Email MFA and only using TOTP (authenticator app) as your MFA option if you want to use email for password recovery consistently.

  4. Set up processes that always collect and set both email and phone number attributes when users sign up or when administrators create user profiles.

This behavior is not a bug but rather a security design in Cognito to ensure that account recovery and MFA use separate channels for verification.
Sources
Passwords, account recovery, and password policies - Amazon Cognito
Cognito - unable to reset password with no phone number added | AWS re:Post
Email MFA is only way for all users after enable Email MFA | AWS re:Post
Cognito forget password through AWS Console error | AWS re:Post

answered 10 months ago
  • User-3122032
    10 months ago

    I have checked and confirmed that users have both email and phone_number populated and marked as "Verified". It seems that Cognito is not using the SMS as a fallback for password recovery flow. User's "Confirmation status" is "Confirmed" and I can successfully sign in with the given email, that way I can confirm that User is valid and in correct state before trying the Forgot Password flow. I must keep the Email alongside the TOTP as MFA

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content