Ad hoc MFA Auth Challenges

MattHapner commented 1 year ago

Is this related to a new or existing framework?

React

Is this related to a new or existing API?

Authentication

Is this related to another service?

Cognito

Describe the feature you'd like to request

Currently, MFA is only supported as a piece of the login flow for a backend that uses Cognito for authentication. The feature I am requesting is for an "out-of-the-box" solution that Amplify exposes in the Auth API. This feature would allow for MFA challenges to be initiated at any point in time for a user that is already authenticated. The use case I have in mind is for an additional layer of verification before completing high impact administrative operations (e.g. disabling another user, deleting a critical database resource, or changing one's password). This would function similarly to the permanently delete confirmation dialogs that AWS uses before completing certain actions, except, obviously, it would require the SMS / TOTP / email MFA token to be entered and verified.

Describe the solution you'd like

The north star would be to invoke a function again the Auth module like this:

import { Auth } from 'aws-amplify';

// Given: user is already fully logged in (with MFA enabled)
// Given: user attempts to change their password

// Send the MFA code over the specified MFA type/channel (default to the user's preferred type)
await Auth.sendMFACode("SMS_MFA");

// Prompt the user to enter the code 
await Auth.verifyMFACode(code)

// If successful, allow the user to continue with the password change

I understand that Cognito does not currently support ad hoc MFA challenges like this so collaboration would likely be needed with that team. With the increasing frequency in TOTP Authenticator apps and various forms of MFA, it seems like this could be a fairly high priority feature request.

Describe alternatives you've considered

I haven't yet tried it but am wondering if Auth.verifyTotpToken(user, challengeAnswer) would work after authentication, since the nature of a TOTP token is that there is always one present at any given time. My instinct says it will not since that is intended to be used during TOTP setup. I will give this a test to see if the TOTP case is already covered.
It was suggested during the Amplify Office Hours to make use of custom triggers in Cognito (DefineAuthChallenge) to create a OTP and inject it back in the React app via something like a callback URL. It sounds like I may be able to add my own challenge that's usable even after a user has fully logged in. It would have to tap into SNS for the SMS case. I'll keep digging into this. A managed solution would definitely be preferred :)

Additional context

No response

Is this something that you'd be interested in working on?

[ ] 👋 I may be able to implement this feature request
[ ] ⚠️ This feature might incur a breaking change

MattHapner commented 1 year ago

To follow back up, I was wrong with my instinct about verifying TOTP tokens. It turns out that Auth.verifyTotpToken(user, challengeAnswer) works outside of the login process. For now, this is an acceptable solution for me while we await the managed SMS / email solution that this ticket is requesting.

cwomack commented 1 year ago

@MattHapner, appreciate you opening up this feature request and bringing the concept up in our Discord Office Hours! We'll review this internally and follow up on this issue with any updates on progress.

cwomack commented 1 year ago

Related to #1582 (although that issue is a feature request to use password while signed in, rather than MFA).

Meags27 commented 1 year ago

Would love a solution where the user enters username and password and also MFA too before doing dangerous actions (like deleting account)

aws-amplify / amplify-js