search

aws-amplify / amplify-android

The fastest and easiest way to use AWS from your Android app.
https://docs.amplify.aws/lib/q/platform/android/
Apache License 2.0
244 stars 114 forks source link

Difficulty Bypassing MFA Login Process in Amplify #2639

Closed Rohan-Hefer closed 10 months ago

Rohan-Hefer commented 10 months ago

I'm encountering challenges bypassing the MFA (Multi-Factor Authentication) login process in our Android application.

Currently, the default authentication flow involves users entering their credentials (username and password) followed by entering the OTP received via SMS. This process has been implemented and functions smoothly as expected, in line with the guidelines outlined in the Amplify documentation Reference: Handling SMS MFA Challenge during Sign-In.

Sign In

Amplify.Auth.signIn(
    "username",
    "password",
    result -> {
        if (result.getNextStep().getSignInStep() == AuthSignInStep.CONFIRM_SIGN_IN_WITH_SMS_MFA_CODE &&
            result.getNextStep().getCodeDeliveryDetails() != null) {
            String destination = result.getNextStep().getCodeDeliveryDetails().getDestination();
            Log.d("SignIn", "SMS code sent to "+ destination);
            Log.d("SignIn", "Additional Info" + result.getNextStep().getAdditionalInfo());

            // Prompt the user to enter the SMSMFA code they received
            // Then invoke `confirmSignIn` api with the code
        }
    },
    error -> Log.e("AuthQuickstart", error.toString())
);

Confirm OTP

Amplify.Auth.confirmSignIn(
    "Confirmation code received via SMS",
    result -> Log.i("AuthQuickstart", result.toString()),
    error -> Log.e("AuthQuickstart", error.toString())
);

The anticipated flow after entering credentials and confirming OTP should lead directly to successful login [Expected flow: Enters Credentials > Confirms OTP > Logged in].

However, the issue arises when users attempt to bypass the MFA process by indicating that their current device is trusted, achieved through a toggle switch in the app settings which remembers the device. Although the device is marked as remembered, the system continues to prompt users to enter an OTP and an OTP is received via SMS Reference: Device Features in Amplify.

The anticipated flow after entering credentials should lead directly to successful login [Expected flow: Enters Credentials > Logged in].

Additional notes:

I aim to utilize the same user pool settings for our website, where users should always input an OTP without the option to bypass. Uncertain if this issue pertains to a configuration discrepancy. The "remember device" configuration mirrors the provided documentation. Could you kindly provide guidance on achieving the desired outcome or point out any configuration oversights? Any insights or recommendations would be immensely appreciated.

Thank you for your assistance.

Warm regards.

tylerjroach commented 10 months ago

@Rohan-Hefer What version of Amplify are you using? We recently fixed a bug around remember device. Please try the latest and see if the issue still persists.

If the issue is still present. Please add `AndroidLoggingPlugin() as the first configured Amplify plugin. Provide the logs of a session that required MFA where it shouldn't have.

Rohan-Hefer commented 10 months ago

@tylerjroach I am currently using version 2.14.1. I'll try version 2.14.5 and see if the issue persists.

Rohan-Hefer commented 10 months ago

It appears there was indeed a problem with an earlier version. Thank you, @tylerjroach, for bringing that to my attention. Your prompt response is greatly appreciated!

github-actions[bot] commented 10 months ago

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see. If you need more assistance, please either tag a team member or open a new issue that references this one. If you wish to keep having a conversation with other community members under this issue feel free to do so.