search

aws-amplify / amplify-js

A declarative JavaScript library for application development using cloud services.
https://docs.amplify.aws/lib/q/platform/js
Apache License 2.0
9.42k stars 2.12k forks source link

TOTP Session Expiration after Email/Password #2824

Closed buchanaf closed 5 years ago

buchanaf commented 5 years ago

Which Category is your question related to? Authorization/Cognito

What AWS Services are you utilizing? AWS Amplify

Provide additional details e.g. code snippets We've enabled TOTP on our application. The session ID obtained from the email and password login (Auth.signIn) seems to expires after roughly 3ish minutes. So if a user sits on the two-factor code page for 3 minutes, then enters their code, they receive a 'NotAuthorizedException' .

While this is not a huge concern for login, we've found a significant drop off in registration due to many users having to download a 2fa application and set up their account. Is there any way to extend that session which is used on Auth.confirmSignIn and Auth.verifyTotpToken so that we no longer see 'NotAuthorizedException' errors thrown, which requires the user to log in again.

powerful23 commented 5 years ago

@buchanaf I am sorry but seems like there is nothing we can do in the Amplify side to extend that session. Can you go to the AWS Forum: https://aws.amazon.com/premiumsupport/knowledge-center/send-feedback-aws/ to send your request to the Cognito Service team directly? Thanks for your feedback!

buchanaf commented 5 years ago

Ok thanks!

powerful23 commented 5 years ago

@buchanaf Please let us know if you want to reopen this issue.

peterkulik commented 5 years ago

+100 I need to extend this expiry time. My customer tested the totp setup and this was his first remark about our new registration/verification/login pages. To new users, who haven't installed any authenticator on their phone, don't have too much chance to verify their totp setup with the firstly generated qr code. So, probably they have to add twice new accounts in their authenticator app, with twices generated qr codes... It's a ux destroyer.

peterkulik commented 5 years ago

@buchanaf Please let us know if you want to reopen this issue.

Hi,

Do you have any news about this topic?

github-actions[bot] commented 3 years ago

This issue has been automatically locked since there hasn't been any recent activity after it was closed. Please open a new issue for related bugs.

Looking for a help forum? We recommend joining the Amplify Community Discord server *-help channels or Discussions for those types of questions.