Skip to content

Ad hoc MFA Auth Challenges #11447

Open
Open
@MattHapner

Description

@MattHapner

Is this related to a new or existing framework?

React

Is this related to a new or existing API?

Authentication

Is this related to another service?

Cognito

Describe the feature you'd like to request

Currently, MFA is only supported as a piece of the login flow for a backend that uses Cognito for authentication. The feature I am requesting is for an "out-of-the-box" solution that Amplify exposes in the Auth API. This feature would allow for MFA challenges to be initiated at any point in time for a user that is already authenticated. The use case I have in mind is for an additional layer of verification before completing high impact administrative operations (e.g. disabling another user, deleting a critical database resource, or changing one's password). This would function similarly to the permanently delete confirmation dialogs that AWS uses before completing certain actions, except, obviously, it would require the SMS / TOTP / email MFA token to be entered and verified.

Describe the solution you'd like

The north star would be to invoke a function again the Auth module like this:

import { Auth } from 'aws-amplify';

// Given: user is already fully logged in (with MFA enabled)
// Given: user attempts to change their password

// Send the MFA code over the specified MFA type/channel (default to the user's preferred type)
await Auth.sendMFACode("SMS_MFA");

// Prompt the user to enter the code 
await Auth.verifyMFACode(code)

// If successful, allow the user to continue with the password change

I understand that Cognito does not currently support ad hoc MFA challenges like this so collaboration would likely be needed with that team. With the increasing frequency in TOTP Authenticator apps and various forms of MFA, it seems like this could be a fairly high priority feature request.

Describe alternatives you've considered

  • I haven't yet tried it but am wondering if Auth.verifyTotpToken(user, challengeAnswer) would work after authentication, since the nature of a TOTP token is that there is always one present at any given time. My instinct says it will not since that is intended to be used during TOTP setup. I will give this a test to see if the TOTP case is already covered.
  • It was suggested during the Amplify Office Hours to make use of custom triggers in Cognito (DefineAuthChallenge) to create a OTP and inject it back in the React app via something like a callback URL. It sounds like I may be able to add my own challenge that's usable even after a user has fully logged in. It would have to tap into SNS for the SMS case. I'll keep digging into this. A managed solution would definitely be preferred :)

Additional context

No response

Is this something that you'd be interested in working on?

  • 👋 I may be able to implement this feature request
  • ⚠️ This feature might incur a breaking change

Metadata

Metadata

Assignees

No one assigned

    Labels

    AuthRelated to Auth components/categoryCognitoRelated to cognito issuesService TeamIssues asked to the Service Teamfeature-requestRequest a new feature

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions