Cognito doesn't invoke the "Define auth challenge" for users with enabled MFA

[alexgelman]

Describe the bug
If a user has software token MFA enabled, and the "Define auth challenge" trigger returned PASSWORD_VERIFIER as the challenge, cognito will not invoke the trigger for subsequent challenges. Instead it will challenge for the MFA token on its own and return tokens on a successful challenge.

To Reproduce
Steps to reproduce the behavior:

1. Create a new user pool with optional MFA authentication.
2. Define a "Define auth challenge" trigger like the one in the documentation with the following challenges: PASSWORD_VERIFIER --> CUSTOM_CHALLENGE --> SOFTWARE_TOKEN_MFA
3. Define the "Create auth challenge" and "Verify auth challenge response" triggers to lambdas similar to the ones in the documentation.
4. Create a user and configure TOTP software MFA for the user.
5. Call initiateAuth with AuthFlow=CUSTOM_AUTH and SRP_A auth parameters.
6. Cognito triggers the "Define auth challenge" lambda and returns PASSWORD_VERIFIER challenge.
7. Call respondToAuthChallenge with the SRP password verifier challenge response.
8. Cognito verifies the challenge and responds with a SOFTWARE_TOKEN_MFA challenge instead of a CUSTOM_CHALLENGE challenge. The trigger lambda is not invoked.
9. Calling respondToAuthChallenge with the MFA token results in a successful authentication and Cognito responding with tokens.

Expected behavior
Cognito verifies the PASSWORD_VERIFIER challenge response and triggers the "Define auth challenge" lambda to get the next challenge.

[elorzafe]

Hi @alexgelman,

Thanks for asking this. This is identified as a bug in Cognito service, and we will work on the prioritization for this issue.

[alexgelman]

Hi, thanks for confirming this.

I have a related question, should it be possible to define the following challenge flow: CUSTOM_CHALLENGE --> SOFTWARE_TOKEN_MFA
I tried doing so, but after providing the token I received an exception with the message Invalid code or auth state for the user. even though the mfa code was valid.

[CactusFruit]

@elorzafe Do you have any update on this issue? As far as I can tell this means that Cognito currently does not honor software 2FA. Should we switch all users to SMS 2FA in the interim until this security hole is filled?

[arlogilbert]

How is it possible that AWS is ok with a gaping security hole for any customer who uses TOTP based MFA. How many customers are not aware of this hole? @elorzafe I see no reply to the last gentleman who asked for feedback.

[alexgelman]

Maybe I should clarify that cognito does honor software MFA in this scenario.
The issue is that cognito ignores the user defined "Define auth challenge" trigger lambda if the first challenge returned by the lambda is PASSWORD_VERIFIER and MFA is configured for the user.

[clahoud]

Hi, thanks for confirming this.

I have a related question, should it be possible to define the following challenge flow: CUSTOM_CHALLENGE --> SOFTWARE_TOKEN_MFA
I tried doing so, but after providing the token I received an exception with the message Invalid code or auth state for the user. even though the mfa code was valid.

@alexgelman Were you able to fix this flow? I'm facing the same issue

[sammartinez]

@alexgelman Are you still looking for support on this issue? Please let us know

[iartemiev]

@alexgelman,

We are going to close this issue since we have not heard from you.

Please let us know if you still need support and provide current steps to reproduce if you haven't already. We can reopen the issue to investigate further.

Thanks

[Famin42]

same issue
still doesn't work, if you are users use MFA and later you decide to customize auth flow with this (Define Auth challenge Lambda trigger)

[github-actions]

This issue has been automatically locked since there hasn't been any recent activity after it was closed. Please open a new issue for related bugs.

Looking for a help forum? We recommend joining the Amplify Community Discord server *-help channels or Discussions for those types of questions.