Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Inconsistent OTP Length Issue in AWS Cognito Authentication Flow (Signin - 8 digits , Signup - 6 digits)

1

Dear AWS Support Team,

We are experiencing an inconsistency in the OTP length when using Choice-based authentication with SMS_OTP and EMAIL_OTP as the preferred challenge parameters in our USER_AUTH flow.

During the sign-up process, the OTP sent is 6 digits long, whereas during sign-in, the OTP is 8 digits long. This inconsistency leads to a poor user experience across our application.

As our authentication system heavily relies on AWS Cognito, we would appreciate your guidance on resolving this issue. Could you please provide:

Any configuration settings that allow us to enforce a consistent OTP length across both sign-up and sign-in flows? Any recent updates or documentation regarding this behavior? This is a critical business decision for us, and we look forward to your response.

~ Roop Kumar Chatterjee

Topics
Front-End Web & MobileSecurity, Identity, & Compliance
Tags
Amazon CognitoAWS Identity and Access ManagementAmazon Cognito User PoolsAWS AmplifySecurity, Identity, & Compliance
Language
English
asked 8 months ago499 views
1 Answer
0

Thank you for reaching out about the inconsistency in OTP lengths for AWS Cognito authentication flows. I understand this is causing user experience issues in your application.

Unfortunately, Amazon Cognito does not currently provide direct configuration options to modify the length of verification codes or OTPs. The length of these codes is fixed by the system:

For SMS verification during sign-up, the code is always 6 digits long. For sign-in challenges using SMS or email OTP, the code is 8 digits long.

This discrepancy is a known limitation of the current Cognito implementation and there are no built-in settings to enforce a consistent OTP length across both flows.

To work around this limitation and achieve a more consistent user experience, you have a few options:

  1. Implement a custom verification system:

    • Disable Cognito's built-in email/phone verification during user sign-up.
    • Generate your own verification codes with consistent length.
    • Send these codes to users using your preferred service (e.g., Amazon SNS for SMS or Amazon SES for email).
    • Validate the codes when users submit them.
    • After successful verification, mark the user as verified in Cognito using the AdminUpdateUserAttributes API.

  2. Use a Custom Message Lambda Trigger:

    • Set up a Custom Message Lambda Trigger for your user pool.
    • In this Lambda function, you can generate and send custom verification codes with consistent length.
    • Store these codes along with their expiration times in a database (e.g., DynamoDB).
    • Validate the codes during user confirmation by checking against the stored values.

While these workarounds require additional development effort, they allow you to have full control over the OTP length and format, ensuring consistency across your authentication flows.

It's worth noting that the authentication flow session duration can be adjusted in the app client configuration. This affects how long users have to complete each challenge before the session expires, but it does not impact the OTP length.

As for recent updates or documentation, there haven't been any changes announced regarding the ability to configure OTP lengths in Cognito. However, it's always a good idea to keep an eye on the AWS Cognito documentation and release notes for any future updates that might address this issue.

I apologize that there isn't a simpler solution available at this time. If this inconsistency is causing significant issues for your application, I recommend submitting a feature request to the AWS Cognito team to consider adding configuration options for OTP length in future updates.
Sources
Cognito support for verification code configuration | AWS re:Post
Authentication flows - Amazon Cognito
Authentication with Amazon Cognito user pools - Amazon Cognito

answered 8 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content