-
Notifications
You must be signed in to change notification settings - Fork 453
WARNING: DO NOT USE THIS PACKAGE IF YOU NEED MFA! #429
Comments
Seriously? What the hell... so I look at the user and it randomly shut off MFA? Even though MFA is marked as REQUIRED!? So now I have to worry that you will randomly COMPLETELY BREAK a users account by marking MFA to disabled yet having it required... therefore I get the MFA Status and the user is asked for MFA code but MFA is disabled so it will never send shit... |
LoL even setting it to optional and manually re-enabling and still nothing to my email or phone number... put a beta tag on the entire cognito service... |
Disabled MFA and now have to find a way to integrate a complete 3rd party MFA platform just to make this process continue working... |
Hi, I just created a pool with the configuration you described and did receive an MFA. I noticed on another thread you posted you had device remembering turned on. Can you describe what you see when you go to the devices page for a pool? Specifically, what's your configuration for the second option? |
At the moment I have auto remember turned off so that I can test the MFA. I never turned off MFA for the device itself - which should not be possible since that was always required. |
To be clear, did you have device remembering set to always and suppress the second factor set to yes? |
I had it set to No when it was not working as I needed to test MFA -- setting it to yes would have just bypassed it and logged me in successfully. I would try to login and it would send me a confirmation SMS_MFA which would then render the login screen to enter the MFA input. -- However -- No code received -- when I looked at the device it showed as DISABLED even though MFA was set to REQUIRED at that time... All of it worked until I verified the email then it stopped sending any kind of verification. Forgot Password Verification continues to work. |
When you sign in does it ask you for an MFA or it skips over this and gives you tokens? |
It was acting as-if MFA was required (which is how it was set) so I could not login at all. It would send the SMS_MFA message but no verification was sent. I had required set to true as shown in the screenshot yet my device randomly had MFA set to Disabled -- I had to disable required MFA to try re-enabling it because i could not enable MFA when it was set to required because it gave an error that you can't change MFA for devices when it is required. AKA: it was completely broken. I turned off MFA and i can login now -- obviously MFA (which is the whole reason for the re-factor) wont work. MFA worked at least 200 times until the second I verified my email then it never worked again. |
I would be happy to look more. I will need a request-id (one of those that experienced the issue you describe) , the AWS region, and a timestamp for this request id |
@vlekakis the requesst ID is in the screenshot above - I posted that about 2 minutes or less after it happened and region is us-west-2. I can no longer mark as required so I can't really test or use MFA now anyway. |
ok sure, I will take a look and provide an update |
Thank you |
Hi, That request id is from a call to AdminSetUserSettings, do you happen to have one from an authentication when it failed to send you the SMS? AdminSetUserSettings does not, so it won't help us narrow down why you aren't getting them. Just to touch on a few other things - I set up another pool with required MFA and device auto remembering (the repro attempt I mentioned above did not). Following the same steps you described, I did receive an MFA after verifying my email. For that user, it also said MFA was DISABLED, but that's a red herring. See, Cognito uses two types of MFA configurations, one for the user and one for the pool. When MFA is optional, users have to opt in to using it. That changes the user MFA status, and should update that field in the console. When an MFA is required, the user mfa status doesn't change, so that field is set to Disabled. That's admittedly confusing to see, so we're noting that as an action item to update. The reason it failed when you tried to change the user mfa status is that you have the pool status set to required, and tried to update user status. That is not an allowed operation, but that'd be more clear with the action item above. |
I agree with @bradennapier - this is confusing at times. Another thing to note is that MFA SMS messaging is only supported by a few regions listed here. This, however, does not explain why I had SMS messages working in |
This is a serious warning to stay away from this package... unless you want to pull your hair out and delay everything you are doing by hours...
Amazon -- FIX THIS BS PACKAGE ... you just cost us an amazing amount of time with this junk... I have never been so pissed off / disappointed by any package I have ever used...
Using this is a sure-fire way to make your users hate your app.
Ugh - seriously -- now I am testing and since I have now verified both my email AND my phone number -- I have to use MFA but it never sends anything to my phone or email.. what the hell?
I spent hundreds of hours re-factoring our entire user system for this and now I realize this package does not even freaking work!? I guess I should not have assumed just cause it was an amazon aws thing it would actually work?
This is a god damn joke ... what a waste of company time and resources.
How the hell do we proceed now?
The text was updated successfully, but these errors were encountered: