Cognito Email MFA Setup

0

Hello,

We wanted to experiment with the Email MFA method since it has been officially supported by AWS Cognito. Setting up the Email MFA went well. But I received an unexpected response to the call to respond to the "EMAIL_OTP" auth challenge. The API call:

curl --location 'https://cognito-idp.us-east-1.amazonaws.com/'
--header 'X-Amz-Target: AWSCognitoIdentityProviderService.RespondToAuthChallenge'
--header 'Content-Type: application/x-amz-json-1.1'
--data-raw '{ "ChallengeName": "EMAIL_OTP", "ChallengeResponses": { "USERNAME": "myuser_email", "EMAIL_OTP_CODE": "123456" }, "ClientId": "myapp_client_id", "Session": "....." }'

The response is a 400 Bad Request: { "__type": "UserNotFoundException", "message": "User does not exist." }

Instead of the Access Token and others.

This response is even if the user does exist and verified (the email needs not be verified for MFA, as it will be automatically when valid code is provided in the auth challenge response) and User event history showing 'Mfa:success' with the provided MFA code I received via Email.

Am I missing a step? Or the call to respond to the challenge is missing a piece of information or providing wrong information?

Thank you for your suggestions...

Akaba
asked 5 days ago41 views
3 Answers
0

I apologize for the confusion you're experiencing with the Email MFA setup in Amazon Cognito. Based on the information provided, it seems that there might be a few things to consider:

  1. Ensure that the advanced security features are active in your user pool. Email MFA requires these features to be enabled.

  2. Verify that your user pool is configured to use Amazon SES for sending emails instead of the default email configuration. This is a requirement for email MFA to function properly.

  3. Double-check that the USERNAME provided in the ChallengeResponses is correct and matches exactly with the user's username in the user pool.

  4. Make sure that the ClientId you're using is correct and associated with the user pool where the user exists.

  5. Confirm that the Session token you're passing is valid and hasn't expired. The MFA code is only valid for the duration of the authentication flow session, which is set in your app client settings.

  6. Ensure that you're using the correct API endpoint for your region (the example shows us-east-1, make sure this matches your user pool's region).

If all of these aspects are correct, the issue might be related to how the user's email attribute is set up or how the email MFA is configured for the specific user. You might want to check the user's attributes in the user pool to ensure the email is correctly associated and that MFA settings are properly configured for the user.

If the problem persists after verifying these points, you may need to contact AWS support for further assistance, as this behavior seems unexpected given that the user exists and the MFA code was successfully sent and verified according to the user event history.
Sources
Email MFA - Amazon Cognito
SMS and email message MFA - Amazon Cognito
SetUserMFAPreference - Amazon Cognito User Pools

profile picture
answered 5 days ago
0

Hello,

Based on your case notes,I understand that you're experiencing issues with the Email MFA setup in Amazon Cognito.

To troubleshoot the "UserNotFoundException" error when attempting to set up email MFA for a Cognito user, you can try the following steps:

  1. Verify that the user account exists and is in an active state by checking the Cognito user pool using the AWS Management Console or the AWS CLI command "admin-get-user".
  2. Ensure that the user's email address is verified. If the user account was created by an administrator, the email may need to be explicitly marked as verified using the "admin-update-user-attributes" CLI command: aws cognito-idp admin-update-user-attributes --user-pool-id <user-pool-id> --username <email> --user-attributes Name="email_verified",Value="true"
  3. If the user account exists and the email is verified, try using the "SelectMFAType" method before attempting to set up email MFA, as suggested in . This method allows the user to choose their preferred MFA type (email or TOTP), which may be required for email MFA to work correctly.
  4. Check the Amazon SES logs to verify if Cognito is successfully sending emails to the user's email address. If emails are not being delivered, there may be an issue with the email configuration or deliverability.
  5. Ensure that the advanced security features are active in your user pool. Email MFA requires these features to be enabled.
  6. Double-check that the USERNAME provided in the ChallengeResponses is correct and matches exactly with the user's username in the user pool.
  7. Make sure that the ClientId you're using is correct and associated with the user pool where the user exists.
  8. Confirm that the Session token you're passing is valid and hasn't expired. The MFA code is only valid for the duration of the authentication flow session, which is set in your app client settings.
  9. Ensure that you're using the correct API endpoint for your region (the example shows us-east-1, make sure this matches your user pool's region).

If all of these aspects are correct, the issue might be related to how the user's email attribute is set up or how the email MFA is configured for the specific user. You might want to check the user's attributes in the user pool to ensure the email is correctly associated and that MFA settings are properly configured for the user.

If the above steps do not resolve the issue, you may need to enable more detailed logging or reach out to AWS Support for further assistance in debugging the specific error.

Reference

[+]https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_SetUserMFAPreference.html

[+]https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-mfa-sms-email-message.html

[+]https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-advanced-security-email-mfa.html

AWS
answered 4 days ago
0

Hello,

Yeah, it turns out that the value I was using for the username field in the response challenge call was not the one expected. In our users pool we use the user's email address as the username, so was using that value. But it looks like the API expects the user sub's value here.

The confusion I got is because the error message was not inline with the log in the user's event history.

Finally this is solved: use the user's sub value as the value of the username field when calling the respond auth challenge.

Thanks.

Akaba
answered 4 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions