Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Cognito Forgot Password won't work with Email MFA

1

Hi,

Our client requires Email MFA so we set that up for our Cognito User Pools. We have SES set up with Cognito as well, for verification code sending. It seems to work great and we've been using it for a couple weeks.

Unfortunately, it seems to have broken the ability for users to reset their passwords via the UI "Forgot your password" link. It was failing silently, appearing to wait for a code but the users were never receiving an email (they had been before we set up email MFA).

While debugging, I set "verified_email" as priority 1 in our UserPool Cloudformation template which yielded the error "Cannot set verified_email as the only member of AccountRecoverySetting when EmailMfaConfiguration is active" upon deployment of the stack. Our user base cannot all use sms verification or an authenticator app because not everyone has a phone or technical ability for an authenticator app, but just to get to the root of the issue, I verified a phone number and set AccountRecoverySetting for the user pool to:

AccountRecoverySetting: {
			RecoveryMechanisms: [
				{ Name: "verified_email", Priority: 1 },
				{ Name: "verified_phone_number", Priority: 2 },
			],
		},

Now, when I try to use forgot password, the UI errors with "Could not reset password for the account, please contact support or try again".

It seems to be impossible to use email for forgotten password recovery as long as you have email MFA configured. I have no idea why this would be the case when we have SES set up.

Has anyone else run into this and been able to get around it?? Is this a bug because email MFA is so new or set up this way for a reason?

Thanks for any help or guidance, this is a huge issue for us.

Topics
Front-End Web & MobileBusiness ApplicationsSecurity, Identity, & Compliance
Tags
Amazon CognitoAmazon Simple Email ServiceAmazon Cognito User Pools
Language
English
asked a year ago2.9K views
2 Answers
2

So just to add a much easier alternative to this. Which is to use a Cognito custom SMS Lambda trigger - https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-custom-sms-sender.html

The Lambda can take the payload, decrypt the code and then send via a templated email through SES. In fact you can re-use the same lamdba for all emails (MFA, Sign-Up, Password Reset) as you can have a single lambda configured for both the Cognito custom SMS trigger AND the Cognito custom Email trigger.

The bonus of this is you get to use fully templated emails through SES Templates which uses Handlebars under the hood - to have good looking emails https://handlebarsjs.com/

Obviously you accept the fact that this means a compromised email account allows for both a password reset and MFA access. But I think choices are good - vs mandated security no matter what the actual risk is.

edit: Note - you also need to ensure the cognito profile for every user has a value for "phone_number" and that value is verified. I use a Post Confirmation trigger to put in a dummy value and set the phone number to verified

answered a year ago
  • Matt
    a year ago

    This is brilliant! I agree the compromised email becomes an issue, but for some user bases its either this or no MFA.

-2

The issue you're experiencing is not a bug, but rather a design limitation in Amazon Cognito's security model. When Email MFA is configured for a user pool, it cannot be used simultaneously as the primary method for account recovery (password reset). This limitation is in place to maintain a separation between the authentication factor (MFA) and the account recovery method.

The error message you received, "Cannot set verified_email as the only member of AccountRecoverySetting when EmailMfaConfiguration is active," confirms this limitation. Cognito prevents using the same channel (email in this case) for both MFA and account recovery to enhance security. If email were used for both purposes, it could potentially create a single point of failure if the email account were compromised.

To resolve this issue, you have a few options:

  1. Use a different method for MFA: If email is crucial for password recovery, you might consider using SMS or TOTP (Time-based One-Time Password) for MFA instead of email.

  2. Use a different method for account recovery: If email MFA is a requirement, you'll need to use an alternative method for account recovery, such as SMS or security questions.

  3. Implement a custom solution: You could create a custom workflow that uses admin APIs to reset passwords, bypassing the standard "Forgot Password" flow. This would require more development effort but could provide a solution that meets your specific needs.

  4. Use a combination of methods: As you've already attempted, you can set up multiple recovery mechanisms. However, ensure that the highest priority method is not the same as your MFA method.

Given your constraints (not all users have phones or the technical ability for authenticator apps), you might need to implement a custom solution or reconsider your MFA strategy. Perhaps offering multiple MFA options (email, SMS, and TOTP) could provide the flexibility needed while still maintaining strong security.

Remember, these limitations are in place to enhance security. While they may seem inconvenient, they're designed to protect against various attack vectors and maintain the integrity of the authentication and recovery processes.
Sources
Email MFA - Amazon Cognito
Adding MFA to a user pool - Amazon Cognito
Email settings for Amazon Cognito user pools - Amazon Cognito

answered a year ago
  • Matt
    a year ago

    This is absolutely awful. If we're trying to provide an app service to a community that may not have SMS or the technical ability to use a TOTP app - and provide them with some security like MFA, email is the ONLY option. This is a severe limitation. Do better AWS.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content