Amplify-js: MFA for disabling MFA, changing password

Created on 9 May 2018  路  7Comments  路  Source: aws-amplify/amplify-js

There seem to be several best practices missing from Cognito's MFA implementation. See Gmail or Github for examples of the below implemented properly.

With Cognito, a user who has TOTP MFA enabled can:

  • disable their MFA (assuming MFA is optional on their user pool) without needing to confirm their password or enter an MFA code
  • change their password without needing an MFA code
  • reset their password without needing an MFA code

In addition, there appears to be no way to download recovery codes that can be used instead of MFA codes in case they lose their TOTP device.

This means that Cognito is both too permissive and too stringent.

A legitimate user who loses their TOTP device has no way to recover their account without admin intervention (which is susceptible to social engineering), as there are no recovery codes. Even resetting their password will not change their MFA status.

Conversely, an attacker who finds a laptop left open and signed in can disable MFA with no credentials, swipe the user's password from their password manager, and change the user's email + password, taking full control of their account without needing the TOTP device.

Are there plans to address those points? Am I missing something?

Cognito feature-request pending-close-response-required
Source
picture tomquisel
👍17

All 7 comments

@tomquisel I wonder if there's been any updates on generating the recovery codes for a user account with MFA on Cognito

ch3ck picture ch3ck on 1 Apr 2019

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

stale[bot] picture stale[bot] on 15 Jun 2019

This issue has been automatically closed because of inactivity. Please open a new issue if are still encountering problems.

stale[bot] picture stale[bot] on 22 Jun 2019
👎2

Bump. This is a huge issue and should be addressed

danawoodman picture danawoodman on 31 Dec 2019

Agreed. Cognito should bring best security practices instead of breaking them :/ But I am afraid it will not be implemented as it would be a breaking change.

filipsuk picture filipsuk on 2 Mar 2020

it's been 7 months since filipsuk made last comment. But it doesn't seem like we have solutions for recovery from MFA.. Am I right??

porquelaquiero picture porquelaquiero on 15 Oct 2020

Short answer; don't use Cognito if you want a proper security model 馃槩

danawoodman picture danawoodman on 16 Oct 2020
👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

ldgarcia picture ldgarcia  路  3Comments
oste picture oste  路  3Comments
DougWoodCDS picture DougWoodCDS  路  3Comments
shinnapatthesix picture shinnapatthesix  路  3Comments
leantide picture leantide  路  3Comments