AWS Cognito fails to resetPassword() for verified email
I'm having an issue with Cognito from AWS. After creating new identity and user pools for, and registering them for MFA (email), I cannot use the "resetPassword" functionality. It does not work even from the console, when I click onto the user and try to manually reset their password from the AWS GUI, I get this error message:
Cannot reset password for the user as there is no registered/verified email or phone_number
However, I've checked multiple times and the email is verified, I see this displayed in the console:
I also see email_verified: true when I query AWS directly with aws cognito-idp. I've also gone through the signIn process with this account, and encountered no errors. I can also receive MFA confirmation codes and they work. resetPassword is the one thing that does not seem to work.
However, no matter what I do I keep getting an error that there is no "registered/verified email or phone_number". phone_number isn't required anywhere in my user or identity pool.
For what it's worth, we use Amazon SES for delivering the MFA codes, and it's how I'd expect to receive an email containing "reset password" instructions.
Any help would be appreciated, thanks.
- Newest
- Most votes
- Most comments
The issue you're experiencing with Cognito's password reset functionality is unexpected and inconsistent with its standard behavior. Typically, if a user has a verified email address, they should be able to reset their password without any problems, even if they don't have a phone number associated with their account.
Here are a few things to check and try:
-
Verify that the account recovery settings in your user pool are correctly configured. Make sure that email is included as a recovery mechanism and that it's set to "Email only" or includes email as an option.
-
Double-check that the user's email is actually marked as verified in the Cognito user pool. Sometimes there can be a discrepancy between what appears to be verified and the actual status in the system.
-
Ensure that your SES email configuration is correctly set up and linked to your Cognito user pool. Test sending a test email through SES to confirm that email sending is functioning correctly.
-
Check if the issue is specific to one user or affects all users in the pool. Try initiating the password reset process for a different user to see if the problem is user-specific or affects the entire pool.
-
Review your user pool's account recovery settings to ensure email is prioritized for password recovery.
If the problem persists after these checks, it could potentially be due to a recent change or bug in the Cognito service. In this case, it would be advisable to contact AWS Support for further assistance, as this behavior is inconsistent with Cognito's documented functionality. They may be able to investigate if there's an underlying issue with the service or your specific configuration that's causing this unexpected error.
Remember, forcing users to provide a phone number should not be necessary if they have a verified email address, based on Cognito's standard functionality. The situation you're describing appears to be anomalous and may require further investigation by AWS.
Sources
Cognito forget password through AWS Console error | AWS re:Post
Cognito - unable to reset password with no phone number added | AWS re:Post
Passwords, account recovery, and password policies - Amazon Cognito
Hi there,
Recently, I encountered the same issue and was able to identify the cause.
In user pools where MFA is enabled, there’s a restriction on self-service password resets.
A user's preferred MFA method affects how they can recover their password. Users whose preferred MFA method is email can't receive a password reset code by email. Similarly, users whose preferred MFA method is SMS can't receive a password reset code by SMS.
This restriction exists for an important security reason — to prevent attackers from gaining access through a single authentication channel.
If you use email for MFA and are also able to reset your password via email, it means you could sign in just by knowing the email address — which defeats the purpose of MFA.
If your user pool has MFA enabled and only allows email as the MFA channel, and users don’t have a phone number registered (which is exactly my case), it seems that they have no way to reset their password on their own.
Relevant content
- asked 10 months ago
- asked 2 years ago
- asked a year ago
- AWS OFFICIALUpdated 8 months ago
- AWS OFFICIALUpdated 22 days ago
It looks like you're facing an issue with AWS Cognito's resetPassword() function for a verified email. Can you provide more details, such as:
Error Message: Are you receiving a specific error response?
SDK/Library Used: Are you using AWS Amplify, AWS SDK (JavaScript, Python, etc.), or calling the API directly?
User Status: Is the user status "CONFIRMED" in Cognito? Unconfirmed users might not be able to reset passwords.
App Client Settings: Do you have "Allow user password reset" enabled in your Cognito user pool?
Code Snippet: Can you share the code snippet you're using to call resetPassword()?
@Balamanikandan yes, I've amended my question to include the error message, which is:
Cannot reset password for the user as there is no registered/verified email or phone_numberSDK/Library Used: This is happening on my console. I cannot manually reset the password. But I discovered the issue initially by using AWS Amplify.
User Status: yes it is confirmed, as I state in my question. I also verified this using
aws cognito-idp.App Client settings: this is happening in the AWS console. I think that is the root issue.
I am having the same issue. I'm creating my users via sign up and sign up confirmation API flow. This used to work a couple of months ago, I am more than 100% certain as I tested this dozens of times. Today I just realized that it's throwing this same error both programmatically and in the console, exactly as stated in the question.