-
Notifications
You must be signed in to change notification settings - Fork 2.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Cognito doesn't invoke the "Define auth challenge" for users with enabled MFA #3876
Comments
Hi @alexgelman, Thanks for asking this. This is identified as a bug in Cognito service, and we will work on the prioritization for this issue. |
Hi, thanks for confirming this. I have a related question, should it be possible to define the following challenge flow: |
@elorzafe Do you have any update on this issue? As far as I can tell this means that Cognito currently does not honor software 2FA. Should we switch all users to SMS 2FA in the interim until this security hole is filled? |
How is it possible that AWS is ok with a gaping security hole for any customer who uses TOTP based MFA. How many customers are not aware of this hole? @elorzafe I see no reply to the last gentleman who asked for feedback. |
Maybe I should clarify that cognito does honor software MFA in this scenario. |
@alexgelman Were you able to fix this flow? I'm facing the same issue |
@alexgelman Are you still looking for support on this issue? Please let us know |
We are going to close this issue since we have not heard from you. Please let us know if you still need support and provide current steps to reproduce if you haven't already. We can reopen the issue to investigate further. Thanks |
same issue |
This issue has been automatically locked since there hasn't been any recent activity after it was closed. Please open a new issue for related bugs. Looking for a help forum? We recommend joining the Amplify Community Discord server |
Describe the bug
If a user has software token MFA enabled, and the "Define auth challenge" trigger returned
PASSWORD_VERIFIER
as the challenge, cognito will not invoke the trigger for subsequent challenges. Instead it will challenge for the MFA token on its own and return tokens on a successful challenge.To Reproduce
Steps to reproduce the behavior:
PASSWORD_VERIFIER --> CUSTOM_CHALLENGE --> SOFTWARE_TOKEN_MFA
initiateAuth
withAuthFlow=CUSTOM_AUTH
andSRP_A
auth parameters.PASSWORD_VERIFIER
challenge.respondToAuthChallenge
with the SRP password verifier challenge response.SOFTWARE_TOKEN_MFA
challenge instead of aCUSTOM_CHALLENGE
challenge. The trigger lambda is not invoked.respondToAuthChallenge
with the MFA token results in a successful authentication and Cognito responding with tokens.Expected behavior
Cognito verifies the
PASSWORD_VERIFIER
challenge response and triggers the "Define auth challenge" lambda to get the next challenge.The text was updated successfully, but these errors were encountered: