search

aws-amplify / amplify-js

A declarative JavaScript library for application development using cloud services.
https://docs.amplify.aws/lib/q/platform/js
Apache License 2.0
9.45k stars 2.13k forks source link

Recover account when MFA device lost. Add reset/forgot TOTP feature #4722

Open bstrech opened 4 years ago

bstrech commented 4 years ago

When users have configured MFA with SMS or TOTP and lose access to their device, amplify should support a method for account recovery. For example: Allow the user to generate a new verification code to be sent to their email address Create a recovery code when enabling MFA which could be used to reset their account Setup a secondary phone or email for recovery.

Ideally this wouldn't disable MFA but allow the user in and then they can update their MFA preferences/phone.

sandeepk000 commented 4 years ago

hi @bstrech, @powerful23, @mlabieniec is there any way we can reset MFA by using admin CLI commands because currently when I am using adminsetuserpreference and i am only able to set preferredMFA to NONE. but on next on login ChallengeName doest change to 'SETUP_MFA' instead its struck at 'SOFTWARE_TOKEN_MFA'

ArturV93 commented 1 year ago

hi @bstrech, @powerful23, @mlabieniec is there any way we can reset MFA by using admin CLI commands because currently when I am using adminsetuserpreference and i am only able to set preferredMFA to NONE. but on next on login ChallengeName doest change to 'SETUP_MFA' instead its struck at 'SOFTWARE_TOKEN_MFA'.

It would be beneficial to have a feature that enables administrators to reset the challengeName to MFA_SETUP either through the AWS Cognito UI or via the CLI. This feature would address the issue of MFA recovery. Currently, the available option is to use AdminRespondToAuthChallenge. However, the drawback is that it requires the user's password to generate a session, which is necessary for updating the challengeName.

If anyone knows how to generate a session or change the challengeName in AWS Cognito without requiring knowledge of the user's password, please share your insights or solutions.

FritjofH commented 1 year ago

Doesn't seem like there has been much happening with this recently. I would very much want to see this function implemented.

Having the "standard" recovery codes would be nice, or a way to remove the MFA device currently used, so that you can add a new one later.

elawad commented 4 months ago

Also facing this issue. We opened a ticket with AWS Support.

Unfortunately with "Required" MFA, there's no easy way to reset a user's TOTP MFA to setup a new one. Not ideal, but we resorted to making the userpool use "Optional" MFA.

Another way is perhaps to create a Custom Auth Challenge using Lambdas.

a-khalilov commented 1 month ago

As I don't have a lot of time to wait feature, and on production it's very risky to lost TOTP and don't provide solution how to reset it for users. I created solution and you can read it on https://medium.com/@alexkhalilov/how-to-reset-aws-cognito-lost-totp-c08c36892a6c