MFA Authentication in Cognito

data-dot-all / dataall

A modern data marketplace that makes collaboration among diverse users (like business, analysts and engineers) easier, increasing efficiency and agility in data projects on AWS.

https://data-dot-all.github.io/dataall/

Apache License 2.0

221 stars 78 forks source link

MFA Authentication in Cognito #599

Open dlpzx opened 11 months ago

dlpzx commented 11 months ago

A customer is asking if we can customize the data.all Infrastructure Amazon Cognito and enable MFA using Authenticator Apps.

MFA authentication to make users in Cognito log-in in a more secure way. So in Cognito you can enable SMS or Authenticator Apps, The Customer is interested in the Authenticator Apps like Google Authenticator.

I know we can set it up with Cognito, but due to the Cognito not requiring an email as attribute in the Sign-up experience, I am unable to enable Authenticator apps as the MFA method

dlpzx commented 11 months ago

It looks like we could do some changes in deploy/stacks/cognito.py based on this documentation.

We first need to add required attributes for sign-up. Something like...

        self.user_pool = cognito.UserPool(
            self,
            f'UserPool-{envname}',
            user_pool_name=f'{resource_prefix}-{envname}-userpool',
            self_sign_up_enabled=False,
            sign_in_aliases=cognito.SignInAliases(username=True, email=True),
            standard_attributes=cognito.StandardAttributes(
                    email=cognito.StandardAttribute(
                        required=True,
                        mutable=False
                    ),
              mfa=cognito.Mfa.REQUIRED,
              mfa_second_factor=cognito.MfaSecondFactor(
                  sms=True,
                  otp=True
              )
            password_policy=cognito.PasswordPolicy(
                min_length=8,
                require_digits=True,
                require_uppercase=True,
                require_lowercase=True,
                require_symbols=True,
            ),
        )

dlpzx commented 10 months ago

Updates from internal conversation with customer: For an exiting deployment of data.all the above approach is an issue as it turned out such attribute cannot be changed if the user pool is already created.

Our recommendation is either to start from a fresh deployment and in case it is not possible (as workaround) we can define a different id for the cognito user pool depending on the MFA settings. In the above code we should change the id from f'UserPool-{envname}' to something like f'UserPool-{envname}-{config}', where config is the mfa config that we can read from the cdk.json file. Having a different id would replace the resource in CloudFormation and in theory this would avoid the reported errors, however it is an hypothesis and it has not been tested.

Once this testing performed by the customer is complete we will be able to design a final solution for the open-source version.