Closed alexgelman closed 3 years ago
Hi @alexgelman,
Thanks for asking this. This is identified as a bug in Cognito service, and we will work on the prioritization for this issue.
Hi, thanks for confirming this.
I have a related question, should it be possible to define the following challenge flow: CUSTOM_CHALLENGE --> SOFTWARE_TOKEN_MFA
I tried doing so, but after providing the token I received an exception with the message Invalid code or auth state for the user.
even though the mfa code was valid.
@elorzafe Do you have any update on this issue? As far as I can tell this means that Cognito currently does not honor software 2FA. Should we switch all users to SMS 2FA in the interim until this security hole is filled?
How is it possible that AWS is ok with a gaping security hole for any customer who uses TOTP based MFA. How many customers are not aware of this hole? @elorzafe I see no reply to the last gentleman who asked for feedback.
Maybe I should clarify that cognito does honor software MFA in this scenario.
The issue is that cognito ignores the user defined "Define auth challenge" trigger lambda if the first challenge returned by the lambda is PASSWORD_VERIFIER
and MFA is configured for the user.
Hi, thanks for confirming this.
I have a related question, should it be possible to define the following challenge flow:
CUSTOM_CHALLENGE --> SOFTWARE_TOKEN_MFA
I tried doing so, but after providing the token I received an exception with the messageInvalid code or auth state for the user.
even though the mfa code was valid.
@alexgelman Were you able to fix this flow? I'm facing the same issue
@alexgelman Are you still looking for support on this issue? Please let us know
@alexgelman,
We are going to close this issue since we have not heard from you.
Please let us know if you still need support and provide current steps to reproduce if you haven't already. We can reopen the issue to investigate further.
Thanks
same issue still doesn't work, if you are users use MFA and later you decide to customize auth flow with this (Define Auth challenge Lambda trigger)
This issue has been automatically locked since there hasn't been any recent activity after it was closed. Please open a new issue for related bugs.
Looking for a help forum? We recommend joining the Amplify Community Discord server *-help
channels or Discussions for those types of questions.
Describe the bug If a user has software token MFA enabled, and the "Define auth challenge" trigger returned
PASSWORD_VERIFIER
as the challenge, cognito will not invoke the trigger for subsequent challenges. Instead it will challenge for the MFA token on its own and return tokens on a successful challenge.To Reproduce Steps to reproduce the behavior:
PASSWORD_VERIFIER --> CUSTOM_CHALLENGE --> SOFTWARE_TOKEN_MFA
initiateAuth
withAuthFlow=CUSTOM_AUTH
andSRP_A
auth parameters.PASSWORD_VERIFIER
challenge.respondToAuthChallenge
with the SRP password verifier challenge response.SOFTWARE_TOKEN_MFA
challenge instead of aCUSTOM_CHALLENGE
challenge. The trigger lambda is not invoked.respondToAuthChallenge
with the MFA token results in a successful authentication and Cognito responding with tokens.Expected behavior Cognito verifies the
PASSWORD_VERIFIER
challenge response and triggers the "Define auth challenge" lambda to get the next challenge.