Description
Is this related to a new or existing framework?
React
Is this related to a new or existing API?
Authentication
Is this related to another service?
Cognito
Describe the feature you'd like to request
Currently, MFA is only supported as a piece of the login flow for a backend that uses Cognito for authentication. The feature I am requesting is for an "out-of-the-box" solution that Amplify exposes in the Auth API. This feature would allow for MFA challenges to be initiated at any point in time for a user that is already authenticated. The use case I have in mind is for an additional layer of verification before completing high impact administrative operations (e.g. disabling another user, deleting a critical database resource, or changing one's password). This would function similarly to the permanently delete confirmation dialogs that AWS uses before completing certain actions, except, obviously, it would require the SMS / TOTP / email MFA token to be entered and verified.
Describe the solution you'd like
The north star would be to invoke a function again the Auth module like this:
import { Auth } from 'aws-amplify';
// Given: user is already fully logged in (with MFA enabled)
// Given: user attempts to change their password
// Send the MFA code over the specified MFA type/channel (default to the user's preferred type)
await Auth.sendMFACode("SMS_MFA");
// Prompt the user to enter the code
await Auth.verifyMFACode(code)
// If successful, allow the user to continue with the password change
I understand that Cognito does not currently support ad hoc MFA challenges like this so collaboration would likely be needed with that team. With the increasing frequency in TOTP Authenticator apps and various forms of MFA, it seems like this could be a fairly high priority feature request.
Describe alternatives you've considered
- I haven't yet tried it but am wondering if
Auth.verifyTotpToken(user, challengeAnswer)would work after authentication, since the nature of a TOTP token is that there is always one present at any given time. My instinct says it will not since that is intended to be used during TOTP setup. I will give this a test to see if the TOTP case is already covered. - It was suggested during the Amplify Office Hours to make use of custom triggers in Cognito (DefineAuthChallenge) to create a OTP and inject it back in the React app via something like a callback URL. It sounds like I may be able to add my own challenge that's usable even after a user has fully logged in. It would have to tap into SNS for the SMS case. I'll keep digging into this. A managed solution would definitely be preferred :)
Additional context
No response
Is this something that you'd be interested in working on?
- 👋 I may be able to implement this feature request
-
⚠️ This feature might incur a breaking change