Open
Description
Before opening, please confirm:
- I have searched for duplicate or closed issues and discussions.
- I have read the guide for submitting bug reports.
- I have done my best to include a minimal, self-contained set of instructions for consistently reproducing the issue.
JavaScript Framework
Not applicable
Amplify APIs
Authentication
Amplify Categories
auth
Environment information
N/A
Describe the bug
- Userpool is set up to confirm email. MFA is required (SMS is enabled). When user registers, Cognito doesn’t require phone confirmation but sends SMS_MFA challenge at log in. If user types wrong phone number, they can’t log in since Cognito sends code to unconfirmed phone number. There must be a requirement for userpools with SMS_MFA enabled to confirm phone number for successful registration. (Cognito also lets users use unconfirmed phone number instead of username when they log in)
- MFA is optional. Userpool is set up to confirm email at registration. Phone is entered but not confirmed. Cognito allows set SMS_MFA as preferred when phone number is not confirmed (using Auth.setPreferredMFA method)
Expected behavior
- If MFA is required with SMS enabled, it should not let userpool creation without phone confirmation (it should require phone confirmation instead of email confirmation)
- Cognito throws an error for Auth.setPreferredMFA('SMS') call if phone number is not confirmed (SMS_MFA is not set as a result)
Reproduction steps
N/A
Code Snippet
// Put your code below this line.
Log output
// Put your logs below this line
aws-exports.js
No response
Manual configuration
No response
Additional configuration
No response
Mobile Device
No response
Mobile Operating System
No response
Mobile Browser
No response
Mobile Browser Version
No response
Additional information and screenshots
No response