I'm working on a use case where i have to lock the user after unsuccessful attempts of username and password and then later the admin should be able to unlock the user in Cognito and then the user should be able to login .
For now Cognito locks the user after 5 unsuccessful attempts of username and password and when the user tries to login with a proper username and password it gives the following exception.
"Unable to login because of security reasons. "
However i'm not able to find a way to unlock that particular user as an admin.Does Cognito provide any API or dashboard for unlocking the user?. Can anyone help me here?
No you cannot interfere with their default lockout policy. You can however put in your own logic to lock out users using pre sign in lambda trigger along with custom field which stores recent unsuccessful login attempts. Lambda is triggered and checks if user has too many login attempts and then blocks him from logging in.
You can then write another function that lets admin clear the custom field that tracks unsuccessful logins.
if you make a call to disable the user, then re-enable the user, that resets the login attempts and your user should be able to log in
Related
Some help on how do you prevent a Cognito user from locking themselves out when changing an email? i.e Only change the email in Cognito once it's verified for existing users updating an email.
If they enter a (wrong email i.e typo e.t.c) and we call Amplify.updateUserAttributes() Cognito registers that new email without waiting for the user to confirm it, locking the users out.
I've searched for ways to first have a 'temporary' new email which will only be active once a user verifies it and haven't seen one.
I want to achieve the following user case:
If the user logged in with a new device, my app will send an email to notify the user and requires the user to enter the code in the email to successfully logged in the app.
The way I thought is to create a custom authentication flow to achieve this, but I cannot find any information about the user login device in defineAuthChallenge and createAuthChallenge. Did I miss something here? Is this the correct way to achieve the user case?
More info about the custom authentication flow:
https://aws.amazon.com/blogs/mobile/customizing-your-user-pool-authentication-flow/
You can try to implement this using the post authentication lambda trigger. This will send you the user login details (except password) when user attempts to sign in.
We are using AWS Cognito CLI (cognito-idp), and our dev & staging environments are frequently iterating, and as such we sometimes have a user account entering the FORCE_CHANGE_PASSWORD state - and yet we don't have the session info we need to trigger the password change, nor can we seem to then trigger another "reset".
Is there a way to toggle the state out of FORCE_CHANGE_PASSWORD, or a way to get the session token needed to change the password ourselves?
Do you know the old/temporary password of that user which is in FORCE_CHANGE_PASSWORD state?
If yes, then you could use that same password to authenticate, which would return a challenge called NEW_PASSWORD_REQUIRED. You can then use this session id, to make a subsequent call to reset the password.
Steps:
Call admin-initate-auth with --auth-flow as "ADMIN_NO_SRP_AUTH" with old password.
Response should have challenge as NEW_PASSWORD_REQUIRED. Save the session id.
Call admin-respond-to-auth-challenge with the above value for --challenge-name and new password.
I have a Lambda function which creates users using adminCreateUser Cognito function. My app is basically an invite only app where the admin can only invite certain users. Everything is working great so far, and I am able to resend invitation email notifications as well. However, I am trying to figure out how I can find out if a user created by adminCreateUser method has "expired" i.e. the user has not accepted the invite and changed the temporary password.
When the admin creates a user using adminCreateUser the status is FORCE_CHANGE_PASSWORD by default. When the user with this status attempts to Log in using the temporary password (from the verification email), Cognito sends a challenge back in the challengeName attribute of NEW_PASSWORD_REQUIRED, based on which the user is forced to change their password through the application and upon successful reset the status would change to CONFIRMED in Cognito for that user. This is working great so far, but I also need to handle scenario where the invited user never really changed their password by attempting to log into the application.
Now, I have set the - "How quickly should user accounts created by administrators expire if not used?" - to 7 days (default). What would be the status of the user account after 7 days if the user doesn't reset their password? I tried to find out from the documentation but it's not clear what the status of the user account would be in this situation.
NOTE: This is not about Token expiration in the client but rather expiration of an account created via the adminCreateUser method.
Annjawn,
According below link: "After the account expires, the user cannot log in to the account until the administrator updates the user's profile by updating an attribute or by resending the password to the user"
https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-admin-create-user-policy.html
All tthe best,
Guto
I am assuming that I would be prompted based off of the documentation, which specifically states:
If your app is using the Amazon Cognito hosted UI to sign in users, the UI shows a second page for your user to enter the TOTP password after they submit their user name and password.
Under the "MFA and Verifications" section of the user pool, I have checked the following:
Do you want to enable Multi-Factor Authentication (MFA)?
Optional
Which second factors do you want to enable?
Time-based One-time Password
I have added a single test user that is verified.
From there, I followed the documentation to both Associate the TOTP Token and Verify the TOTP Token, confirming I got the secret code in the response for calling AssociateSoftwareToken and a 'SUCCESS' in the response for VerifySoftwareToken.
At this point, I believe when I use the hosted UI sign-in page, I should be prompted to enter a one-time-password after submitting my username/password, and upon successful verification of that, be redirected to the signin callback URL specfied in my app client.
However, I am being redirected immediately after submitting the username and password and there is no prompt for entering a TOTP.
I was able to get this to work by explicitly calling SetUserMFAPreference after setting up TOTP for the test account. My assumption that associating and verifying TOTP automatically changed Cognito's behavior with respect to the authentication flow of the user was mistaken. It also required me to tell Cognito to enable and use the TOTP for the user.
The crux of my original confusion was that generating and associating a software token to generate OTPs for a user did not enable it for the user. A call to SetUserMFAPreference to enable it for the user was also required. Once that was done, it worked as expected. For instance, to enable software MFA and set it as preferred:
{
"AccessToken": "xyz123",
"SoftwareTokenMfaSettings": {
"Enabled": true,
"PreferredMfa": true
}
}
There is also an admin version of the API call that can achieve the same result.
For anyone else who stumbles upon this and still isn't getting prompted for their TOTP, you may also need to clear your cookies. Even if your pool is not set up to remember user devices, without clearing the cookies you may still be able to log in without the TOTP.
After messing around with this problem, I reckon that AWS just gave up on this and moved towards using Amplify.
Use the Amplify libraries and their Amplify UI components.
The Auth component will prompt the user at first login with a QR code.
https://docs.amplify.aws/lib/auth/getting-started/q/platform/js/#option-1-use-pre-built-ui-components