Skip to content

SMS MFA is activated for phone number that wasn't confirmed #11259

Open
@helgabalashova

Description

@helgabalashova

Before opening, please confirm:

JavaScript Framework

Not applicable

Amplify APIs

Authentication

Amplify Categories

auth

Environment information

N/A

Describe the bug

  1. Userpool is set up to confirm email. MFA is required (SMS is enabled). When user registers, Cognito doesn’t require phone confirmation but sends SMS_MFA challenge at log in. If user types wrong phone number, they can’t log in since Cognito sends code to unconfirmed phone number. There must be a requirement for userpools with SMS_MFA enabled to confirm phone number for successful registration. (Cognito also lets users use unconfirmed phone number instead of username when they log in)
  2. MFA is optional. Userpool is set up to confirm email at registration. Phone is entered but not confirmed. Cognito allows set SMS_MFA as preferred when phone number is not confirmed (using Auth.setPreferredMFA method)

Expected behavior

  1. If MFA is required with SMS enabled, it should not let userpool creation without phone confirmation (it should require phone confirmation instead of email confirmation)
  2. Cognito throws an error for Auth.setPreferredMFA('SMS') call if phone number is not confirmed (SMS_MFA is not set as a result)

Reproduction steps

N/A

Code Snippet

// Put your code below this line.

Log output

// Put your logs below this line


aws-exports.js

No response

Manual configuration

No response

Additional configuration

No response

Mobile Device

No response

Mobile Operating System

No response

Mobile Browser

No response

Mobile Browser Version

No response

Additional information and screenshots

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    AuthRelated to Auth components/categoryCognitoRelated to cognito issuesMFAUsed when its related to issues with MFA / TOTP use casesService TeamIssues asked to the Service Teamfeature-requestRequest a new feature

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions