Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Setting device as remembered does not suppress MFA challenge
See original GitHub issueDo you want to request a feature or report a bug? Bug
Note: This issue has already been reported to Cognito Development team via support centre and it was suggested to create an issue on Github repo for SDK as well for monitoring.
What is the current behavior?
This issue occurs with the device that user uses to change the password at the first sign-in only. Marking that device as remembered (while MFA is enabled for that user) does not suppress the MFA challenge on next logins. User has to complete MFA challenge one more time while device is marked as remembered in order for it suppress MFA challenges on future logins. User pool settings are below:
a. MFA settings
Optional
b. Device Settings
Remember Devices - User Opt-in
Avoid MFA with Remembered devices - Yes.
This issue does not occur on any subsequent devices tracked by Congito. As mentioned above this is only for device used for password reset required scenario. Below is the screencast of this issue reproduction
Steps performed in screencast:
- New user logs in (new user is required to change password)
- User fills his info for password change (User is prompted for name only. Rest of the info is preconfigured programmatically)
- User logs out -> logs in again and enables MFA for his verified phone number
- User logs out and on next login is prompted for MFA code to login as expected
- User logs out and on next login ticks the checkbox to set the device as remembered
- User is prompted for MFA challenge upon which user’s device is marked as remembered (From AWS console it can be verified that there is only one device being tracked on which user initial sign-in password change was done and that is marked as
rememberedas well) - Log out and login again
- User is prompted for MFA challenge Again!! Even though his device is marked as remembered and as per user pool configuration, user should not be asked for MFA challenge on remembered device
What is the expected behavior? Once device is marked as remembered, then it should not ask for MFA challenge on that device again.
Which versions of Amplify, and which browser / OS are affected by this issue? Did this work in previous versions?
amazon-cognito-identity-js 2.0.3- Issue is reproducible on chrome/firefox/safari (Did not test on any other browser)
- It does not work on previous versions either
Issue Analytics
- State:
- Created 5 years ago
- Comments:10 (4 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
For people reaching here, the workaround is to call remembering the current device before calling the setting up mfa api.