Skip to content

MFA methods are not added to UserMfaSettingList #11258

Open
@helgabalashova

Description

@helgabalashova

Before opening, please confirm:

JavaScript Framework

Not applicable

Amplify APIs

Authentication

Amplify Categories

auth

Environment information

N/A

Describe the bug

  1. When Customers configure userpool with MFA as required (both SMS and TOTP available) and phone number provided at registration, Cognito automatically enables SMS_MFA for that user and SMS_MFA challenge is returned at login. When user calls getUser API, SMS_MFA is not in the UserMfaSettingList even though it was activated for the user. From Api definition, UserMfaSettingList is the MFA options that are activated for the user. As a result of default activation from Cognito side, SMS_MFA should be present in the UserMfaSettingList. Otherwise, we don't have a reliable mechanism to detect SMS_MFA to display it in UI component that shows activated MFA methods for the user.
  2. When Customers configure userpool with required MFA and TOTP is the only enabled method, TOTP is not added to MFA methods in console and to the UserMfaSettingList. Flow: user registers and sets up TOTP app. When verifySoftwareTOken Api is called, MFA TOTP status is verified if successful. When user tries to log in, they get 'SOFTWARE_TOKEN_MFA' challenge as a result which means that TOTP was activated. But when getUser call is made, TOTP is not reflected in UserMfaSettingList.

As a result of these two cases, we can't create a function that would reliably reflect MFA preferences for the user. (Auth.getPreferredMFA reflects incorrect information because of that)

Expected behavior

  1. If MFA method is added to the userpool by default without Auth.setPreferredMFA method, it should be reflected in the UserMfaSettingList (getUser api)
  2. When TOTP is added as MFA method at registration, there should be a way to add it to UserMfaSettingList (at this point, it requires user to be authenticated)

Reproduction steps

N/A

Code Snippet

No response

Log output

No response

aws-exports.js

No response

Manual configuration

No response

Additional configuration

No response

Mobile Device

No response

Mobile Operating System

No response

Mobile Browser

No response

Mobile Browser Version

No response

Additional information and screenshots

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    AuthRelated to Auth components/categoryCognitoRelated to cognito issuesMFAUsed when its related to issues with MFA / TOTP use casesService TeamIssues asked to the Service TeambugSomething isn't workingpending-maintainer-responseIssue is pending a response from the Amplify team.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions