search

aws-amplify / amplify-flutter

A declarative library with an easy-to-use interface for building Flutter applications on AWS.
https://docs.amplify.aws
Apache License 2.0
1.33k stars 247 forks source link

TOTP MFA Reset #5716

Open dsambuk opened 4 days ago

dsambuk commented 4 days ago

Which Category is your question related to? Auth What AWS Services are you utilizing? Cognito, Amplify

####################################

Hi all! I am running into a similar issue described in here.

We are utilizing Cognito for user management. MFA is set as required in the user pool and we support only the TOTP method.

I am unable to reset MFA for users.

I followed the official Amplify Flutter Documentation but the method described does not work.

Documentation states:

"If a user loses access to their TOTP device, they would need to contact an administrator to help get access to their account. Based on the Cognito User Pool configuration, the administrator can use the AdminSetUserMFAPreference to either change the MFA preference to a different MFA method or to disable MFA for the user."

I have a lambda that does exactly what is described above:

response = cognito_client.admin_set_user_mfa_preference( SoftwareTokenMfaSettings={ 'Enabled': False, 'PreferredMfa': False }, Username={Username}, UserPoolId={Pool}

Lambda returns a 200 response and I see this in the user mfa preferences:

Screenshot 2024-11-25 at 7 50 59 AM

However, user is never prompted to set up new a new mfa when going through the sign-in flow using the Authenticator for flutter; It returns AuthenticatorStep.confirmSignInWithTotpMfaCode instead of expected AuthenticatorStep.continueSignInWithTotpSetup.

MFA reset is a required functionality for the project.

Any help would be appreciated :)

ekjotmultani commented 4 days ago

Hello @dsambuk thank you for raising this issue, I'm sorry that the functionality seems to not be working as expected. We will investigate this and get back to you as soon as we can. By the way, what platform are you using?

dsambuk commented 3 days ago

Hey @ekjotmultani We are using Flutter with amplify_flutter, amplify_auth_cognito, amplify_authenticator. Used sign-in experience is completely managed by Amplify Authenticator.

Cognito setup: MFA is set as required, only the TOTP method is allowed, no self signup.

ekjotmultani commented 3 days ago

Thank you @dsambuk, the information will help us look into this, we'll get back to you with an update when we have one!

ekjotmultani commented 2 days ago

Hi @dsambuk. Unfortunately, there is no straightforward way to reset the totp device through AWS Cognito, which Authenticator and Auth is built upon. admin_set_user_mfa_preference is used to allow you to disable mfa entirely or change the method of mfa instead of reset the device .A workaround suggested is to allow the user to side authenticate using a one time login with email or phone number, then once they are authenticated, you can re-enroll the user into MFA with TOTP through the Cognito sdk. I understand this is not ideal, however it is a limitation of Cognito that is hard to reconcile. Please let me know if you have any questions or need further assistance