elorzafe
commented
5 years ago Hi @alexgelman,
Thanks for asking this. This is identified as a bug in Cognito service, and we will work on the prioritization for this issue.
Closed alexgelman closed 3 years ago
elorzafe
commented
5 years ago Hi @alexgelman,
Thanks for asking this. This is identified as a bug in Cognito service, and we will work on the prioritization for this issue.
alexgelman
commented
5 years ago Hi, thanks for confirming this.
I have a related question, should it be possible to define the following challenge flow: CUSTOM_CHALLENGE --> SOFTWARE_TOKEN_MFA
I tried doing so, but after providing the token I received an exception with the message Invalid code or auth state for the user. even though the mfa code was valid.
CactusFruit
commented
4 years ago @elorzafe Do you have any update on this issue? As far as I can tell this means that Cognito currently does not honor software 2FA. Should we switch all users to SMS 2FA in the interim until this security hole is filled?
arlogilbert
commented
4 years ago How is it possible that AWS is ok with a gaping security hole for any customer who uses TOTP based MFA. How many customers are not aware of this hole? @elorzafe I see no reply to the last gentleman who asked for feedback.
alexgelman
commented
4 years ago Maybe I should clarify that cognito does honor software MFA in this scenario.
The issue is that cognito ignores the user defined "Define auth challenge" trigger lambda if the first challenge returned by the lambda is PASSWORD_VERIFIER and MFA is configured for the user.
clahoud
commented
4 years ago Hi, thanks for confirming this.
I have a related question, should it be possible to define the following challenge flow:
CUSTOM_CHALLENGE --> SOFTWARE_TOKEN_MFAI tried doing so, but after providing the token I received an exception with the messageInvalid code or auth state for the user.even though the mfa code was valid.
@alexgelman Were you able to fix this flow? I'm facing the same issue
sammartinez
commented
3 years ago @alexgelman Are you still looking for support on this issue? Please let us know
iartemiev
commented
3 years ago @alexgelman,
We are going to close this issue since we have not heard from you.
Please let us know if you still need support and provide current steps to reproduce if you haven't already. We can reopen the issue to investigate further.
Thanks
Famin42
commented
2 years ago same issue still doesn't work, if you are users use MFA and later you decide to customize auth flow with this (Define Auth challenge Lambda trigger)
github-actions[bot]
commented
1 year ago This issue has been automatically locked since there hasn't been any recent activity after it was closed. Please open a new issue for related bugs.
Looking for a help forum? We recommend joining the Amplify Community Discord server *-help channels or Discussions for those types of questions.
Describe the bug If a user has software token MFA enabled, and the "Define auth challenge" trigger returned
PASSWORD_VERIFIERas the challenge, cognito will not invoke the trigger for subsequent challenges. Instead it will challenge for the MFA token on its own and return tokens on a successful challenge.To Reproduce Steps to reproduce the behavior:
PASSWORD_VERIFIER --> CUSTOM_CHALLENGE --> SOFTWARE_TOKEN_MFAinitiateAuthwithAuthFlow=CUSTOM_AUTHandSRP_Aauth parameters.PASSWORD_VERIFIERchallenge.respondToAuthChallengewith the SRP password verifier challenge response.SOFTWARE_TOKEN_MFAchallenge instead of aCUSTOM_CHALLENGEchallenge. The trigger lambda is not invoked.respondToAuthChallengewith the MFA token results in a successful authentication and Cognito responding with tokens.Expected behavior Cognito verifies the
PASSWORD_VERIFIERchallenge response and triggers the "Define auth challenge" lambda to get the next challenge.