Amplify-js: Setting device as remembered does not suppress MFA challenge
Do you want to request a feature or report a bug?
Bug
_Note: This issue has already been reported to Cognito Development team via support centre and it was suggested to create an issue on Github repo for SDK as well for monitoring._
What is the current behavior?
This issue occurs with the device that user uses to change the password at the first sign-in only. Marking that device as remembered (while MFA is enabled for that user) does not suppress the MFA challenge on next logins. User has to complete MFA challenge one more time while device is marked as remembered in order for it suppress MFA challenges on future logins. User pool settings are below:
a. MFA settings
Optional
b. Device Settings
Remember Devices - User Opt-in
Avoid MFA with Remembered devices - Yes.
This issue does not occur on any subsequent devices tracked by Congito. As mentioned above this is only for device used for password reset required scenario. Below is the screencast of this issue reproduction
Steps performed in screencast:
1) New user logs in _(new user is required to change password)_
2) User fills his info for password change _(User is prompted for name only. Rest of the info is preconfigured programmatically)_
3) User logs out -> logs in again and enables MFA for his verified phone number
4) User logs out and on next login is prompted for MFA code to login as expected
5) User logs out and on next login ticks the checkbox to set the device as remembered
6) User is prompted for MFA challenge upon which user's device is marked as remembered _(From AWS console it can be verified that there is only one device being tracked on which user initial sign-in password change was done and that is marked as remembered as well)_
7) Log out and login again
8) User is prompted for MFA challenge Again!! Even though his device is marked as remembered and as per user pool configuration, user should not be asked for MFA challenge on remembered device
What is the expected behavior?
Once device is marked as remembered, then it should not ask for MFA challenge on that device again.
Which versions of Amplify, and which browser / OS are affected by this issue? Did this work in previous versions?
amazon-cognito-identity-js 2.0.3- Issue is reproducible on chrome/firefox/safari _(Did not test on any other browser)_
- It does not work on previous versions either
falloutcoder
All 9 comments
Hi @yuntuowang any updates on this?
elorzafe
on 12 Jun 2018
@falloutcoder,
Have you received any more related information from the Cognito service support center?
jordanranz
on 13 Mar 2019
@falloutcoder +1. Did you manage to find a workaround for this?
@jordanranz We got the same issue. Support asked me to submit a ticket here and I found this thread. case no: 5602646571.
It's been a year now, hasn't cognito found a fix for this???
ruiyang
on 22 Mar 2019
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
![stale[bot] picture](https://avatars.githubusercontent.com/in/1724?v=4&s=40)
stale[bot]
on 15 Jun 2019
For people reaching here, the workaround is to call remembering the current device before calling the setting up mfa api.
ruiyang
on 17 Jun 2019
Same problem here. The workaround is appreciated but is not always an option. In our case, we allow the user to choose whether they would like the device to be remembered or not before _or after_ they enable SMS MFA.
cshouts-tasc
on 29 Jan 2020
@falloutcoder @ruiyang @cshouts-tasc
I have just tried the latest version of amazon-cognito-identity-js and it works for me on the browser.
I have this configuration on my user pool
In summary I have
MFA: Optional,
Device remember: Opt in
User remember device to supress MFA: ON
Following is the full description of my User Pool
{
"UserPool": {
"Id": "us-west-2_xxxxxxx",
"Name": "xxxxxxxx-devm",
"Policies": {
"PasswordPolicy": {
"MinimumLength": 8,
"RequireUppercase": false,
"RequireLowercase": false,
"RequireNumbers": false,
"RequireSymbols": false,
"TemporaryPasswordValidityDays": 7
}
},
"LambdaConfig": {},
"LastModifiedDate": "2020-05-07T19:34:53.764000-07:00",
"CreationDate": "2020-05-07T11:20:14.286000-07:00",
"SchemaAttributes": [
{
"Name": "sub",
"AttributeDataType": "String",
"DeveloperOnlyAttribute": false,
"Mutable": false,
"Required": true,
"StringAttributeConstraints": {
"MinLength": "1",
"MaxLength": "2048"
}
},
{
"Name": "name",
"AttributeDataType": "String",
"DeveloperOnlyAttribute": false,
"Mutable": true,
"Required": false,
"StringAttributeConstraints": {
"MinLength": "0",
"MaxLength": "2048"
}
},
{
"Name": "given_name",
"AttributeDataType": "String",
"DeveloperOnlyAttribute": false,
"Mutable": true,
"Required": false,
"StringAttributeConstraints": {
"MinLength": "0",
"MaxLength": "2048"
}
},
{
"Name": "family_name",
"AttributeDataType": "String",
"DeveloperOnlyAttribute": false,
"Mutable": true,
"Required": false,
"StringAttributeConstraints": {
"MinLength": "0",
"MaxLength": "2048"
}
},
{
"Name": "middle_name",
"AttributeDataType": "String",
"DeveloperOnlyAttribute": false,
"Mutable": true,
"Required": false,
"StringAttributeConstraints": {
"MinLength": "0",
"MaxLength": "2048"
}
},
{
"Name": "nickname",
"AttributeDataType": "String",
"DeveloperOnlyAttribute": false,
"Mutable": true,
"Required": false,
"StringAttributeConstraints": {
"MinLength": "0",
"MaxLength": "2048"
}
},
{
"Name": "preferred_username",
"AttributeDataType": "String",
"DeveloperOnlyAttribute": false,
"Mutable": true,
"Required": false,
"StringAttributeConstraints": {
"MinLength": "0",
"MaxLength": "2048"
}
},
{
"Name": "profile",
"AttributeDataType": "String",
"DeveloperOnlyAttribute": false,
"Mutable": true,
"Required": false,
"StringAttributeConstraints": {
"MinLength": "0",
"MaxLength": "2048"
}
},
{
"Name": "picture",
"AttributeDataType": "String",
"DeveloperOnlyAttribute": false,
"Mutable": true,
"Required": false,
"StringAttributeConstraints": {
"MinLength": "0",
"MaxLength": "2048"
}
},
{
"Name": "website",
"AttributeDataType": "String",
"DeveloperOnlyAttribute": false,
"Mutable": true,
"Required": false,
"StringAttributeConstraints": {
"MinLength": "0",
"MaxLength": "2048"
}
},
{
"Name": "email",
"AttributeDataType": "String",
"DeveloperOnlyAttribute": false,
"Mutable": true,
"Required": true,
"StringAttributeConstraints": {
"MinLength": "0",
"MaxLength": "2048"
}
},
{
"Name": "email_verified",
"AttributeDataType": "Boolean",
"DeveloperOnlyAttribute": false,
"Mutable": true,
"Required": false
},
{
"Name": "gender",
"AttributeDataType": "String",
"DeveloperOnlyAttribute": false,
"Mutable": true,
"Required": false,
"StringAttributeConstraints": {
"MinLength": "0",
"MaxLength": "2048"
}
},
{
"Name": "birthdate",
"AttributeDataType": "String",
"DeveloperOnlyAttribute": false,
"Mutable": true,
"Required": false,
"StringAttributeConstraints": {
"MinLength": "10",
"MaxLength": "10"
}
},
{
"Name": "zoneinfo",
"AttributeDataType": "String",
"DeveloperOnlyAttribute": false,
"Mutable": true,
"Required": false,
"StringAttributeConstraints": {
"MinLength": "0",
"MaxLength": "2048"
}
},
{
"Name": "locale",
"AttributeDataType": "String",
"DeveloperOnlyAttribute": false,
"Mutable": true,
"Required": false,
"StringAttributeConstraints": {
"MinLength": "0",
"MaxLength": "2048"
}
},
{
"Name": "phone_number",
"AttributeDataType": "String",
"DeveloperOnlyAttribute": false,
"Mutable": true,
"Required": false,
"StringAttributeConstraints": {
"MinLength": "0",
"MaxLength": "2048"
}
},
{
"Name": "phone_number_verified",
"AttributeDataType": "Boolean",
"DeveloperOnlyAttribute": false,
"Mutable": true,
"Required": false
},
{
"Name": "address",
"AttributeDataType": "String",
"DeveloperOnlyAttribute": false,
"Mutable": true,
"Required": false,
"StringAttributeConstraints": {
"MinLength": "0",
"MaxLength": "2048"
}
},
{
"Name": "updated_at",
"AttributeDataType": "Number",
"DeveloperOnlyAttribute": false,
"Mutable": true,
"Required": false,
"NumberAttributeConstraints": {
"MinValue": "0"
}
}
],
"AutoVerifiedAttributes": [
"email"
],
"SmsVerificationMessage": "Your verification code is {####}",
"EmailVerificationMessage": "Your verification code is {####}",
"EmailVerificationSubject": "Your verification code",
"VerificationMessageTemplate": {
"SmsMessage": "Your verification code is {####}",
"EmailMessage": "Your verification code is {####}",
"EmailSubject": "Your verification code",
"DefaultEmailOption": "CONFIRM_WITH_CODE"
},
"MfaConfiguration": "OPTIONAL",
"DeviceConfiguration": {
"ChallengeRequiredOnNewDevice": true,
"DeviceOnlyRememberedOnUserPrompt": true
},
"EstimatedNumberOfUsers": 1,
"EmailConfiguration": {
"EmailSendingAccount": "COGNITO_DEFAULT"
},
"SmsConfiguration": {
"SnsCallerArn": "arn:aws:iam::xxxxxxxxxx:role/xxxxxxxxxx-devm",
"ExternalId": "xxxxxxxxx_role_external_id"
},
"UserPoolTags": {},
"AdminCreateUserConfig": {
"AllowAdminCreateUserOnly": false,
"UnusedAccountValidityDays": 7
},
"Arn": "arn:aws:cognito-idp:us-west-2:xxxxxxxxx:userpool/us-west-2_xxxxxxx",
"AccountRecoverySetting": {}
}
}
On my App I did this with the CognitoUser
First
authenticateUsercompleteNewPasswordChallenge(I created the user manually on the console)
Second
authenticateUsersetUserMfaPreference-> to enable MFA
Third
authenticateUsersendMFACodesetDeviceStatusRemembered
Fourth
authenticateUser-> Immediately signed without requiring MFA
I tried disabling setDeviceStatusNotRemember and that also worked as expected.
elorzafe
on 8 May 2020
@elorzafe Thanks for the update. Will try it out on the latest version of amazon-cognito-identity-js once https://github.com/aws-amplify/amplify-js/issues/4515 is resolved. We're stuck on Amplify v2.2.7 for now because we need to support IE11.
cshouts-tasc
on 8 May 2020
This doesn't seem to have been successfully reproduced. If anyone encounters this issue with the latest version, please open a new issue and it will be a priority. Thank you.
harrysolovay
on 12 Nov 2020
Related issues
cgarvis
路
3Comments
josoroma
路
3Comments
DougWoodCDS
路
3Comments
leantide
路
3Comments
rygo6
路
3Comments