Backup with optional MFA

[mk0sojo]

Is your feature request related to a problem? Please describe. We have MFA set to optional on our user pool. We need to back it up.

Describe the feature you'd like As MFA cannot be transfered to the new pool, we would be fine with having it switched off for all users in the new pool.

[ericquinones]

Hi - Thank you for reaching out. We decided not to allow export of user profiles when the user pool had MFA enabled because as you noted, we would not be able to transfer MFA preferences to user profiles in the new pool. This is because we're unable to replicate the user's MFA token that was used to configure their time-based one-time passwords as the second factor.

If you are okay with the new user pool not having MFA enabled, you can try a custom build of our solution where the MFA checks have been removed. We check the MFA configuration in two places:

• First, when the solution is deployed, here
• Second, each time the Export Workflow is run, here

We also set the cognito:mfa_enabled flag to false when importing user profiles into the new user pool, here.

We have instructions in our README for creating a custom build from the source. Please make sure to test (both Export and Import) this on a development/test user pool prior to production.

[lanskyb]

@ericquinones Hi, we are interested to have the proposed above solution because we have the similar problem in case of Disaster Recovery. Can you release it as official one.

[lanskyb]

@tomnight Hey, you just closed it while I was writing my comment. Can you please re-open it.

[ericquinones]

Hi @lanskyb -

Apologies for the timing of closing the issue. We closed a few issues in quick succession because we'd just completing posting the v1.0.1 release. I'll make sure the issue is reopened.

I will speak with the team to see if we can support this in the next release. To clarify, your current user pool has MFA enabled, correct? Is MFA set to required or optional?

A bit more information about your use case would he helpful as well. For example, are you interested in the functionality that imports the user profiles to a new user pool or are you more interested in exporting to DynamoDB? The reason I ask is because we wouldn't be able to configure MFA in the new user pool as part of the Import workflow (due to the reasons listed above) so I want to clarify whether that will work for your use case.

Thanks!

[lanskyb]

@ericquinones No worries, thanks a lot for your reply. We are developing a multi-tenant auth middleware based on Cognito pools, for our platform, that will be using MFA as a required option. We also will need multi-region pools replication for our Disaster Recovery solution (import the user profiles to a new user pool in another region). The optimal solution would have the MFA enabled in the second region that will be activated on demand in case of the first region failure but if this is impossible right now we will be ok that in case of Disaster Recovery the users will be able to login without using MFA. Do you think your proposed solution will work for us?

[ericquinones]

Hi @lanskyb - I spoke with the team and the solution doesn't support MFA because if your primary user pool had MFA enabled and you need to fail over, the users of your applications would essentially get their security settings downgraded. We don't feel comfortable supporting that scenario.

You do have the option of modifying the solution to disable the MFA checks. We recommend that you determine if the end users will be okay with that impact of MFA being disabled and consider how to message that and the password change requirement during a fail-over event.

[lanskyb]

Hi @ericquinones ,

I understand why the team doesn't feel comfortable to support this approach but what is yours and the team's recommendation for us? Should we consider a different solution such as Auth0 or there is any workaround/near future plans to solve this?

[lanskyb]

Hi @ericquinones , do you have any updates on my questions? Thanks

[ericquinones]

Hi @lanskyb - Apologies for the delay. Our team (AWS Solutions) created this reference architecture to support a limited number of customer scenarios, though the code is open source and you are free to modify and customize as you see fit. Beyond what's supported by this solution, we aren't able to advise on the Cognito team's roadmap or suggest alternatives.

[C-h-e-r-r-y]

Optional MFA migration works. Do not know who said the opposite and why lambda throw exception. Just remove check for MFA in user pool and it will work

[mikeols]

Closing old ticket. It looks like questions have been addressed.