问题
I have a Cognito user pool which has MFA set to Required with TOTP only (i.e. no SMS).
My question is how do I reset the MFA for a user? For example what if the user loses his phone so he doesn't have anyway to login.
I have tried reset password but that only resets the password, it doesn't remove the MFA.
At the bottom of this AWS documentation, it says
NOTE A delete TOTP software token operation is not currently available in the API. This functionality is planned for a future release. Use SetUserMFAPreference to disable TOTP MFA for an individual user.
So I tried SetUserMFAPreference and AdminSetUserMFAPreference, they just return 200 OK but doesn't actually disable the MFA. I guess it's due to the user pool has MFA set to Required.
回答1:
Actually you need to change user's settings, not preferences.
to remove MFA var cognitoidentityserviceprovider = new AWS.CognitoIdentityServiceProvider();
var params = {
UserPoolId: poolData.UserPoolId,
Username: userid, /* required */
MFAOptions: [ /* required */
]
};
cognitoidentityserviceprovider.adminSetUserSettings(params, function(err, data) {
if (err) reject(err); // an error occurred
else resolve(data); // successful response
});
To Add/Change MFA:
var cognitoidentityserviceprovider = new AWS.CognitoIdentityServiceProvider();
var params = {
UserPoolId: poolData.UserPoolId,
Username: userid, /* required */
MFAOptions: [ /* required */
{
AttributeName: 'phone_number',
DeliveryMedium: 'SMS'
}
]
};
cognitoidentityserviceprovider.adminSetUserSettings(params, function(err, data) {
if (err) reject(err); // an error occurred
else resolve(data); // successful response
});
回答2:
You can give each user a recovery code, and then write a Lambda exposed via an API endpoint that checks to see if they submit the right recovery code. If they do, you can call the following inside the Lambda to disable the user's MFA:
const result = await cognito
.adminSetUserMFAPreference({
UserPoolId: AmplifyConfig.Auth.userPoolId,
Username: userid,
SoftwareTokenMfaSettings: {
Enabled: false,
PreferredMfa: false,
},
})
.promise();
Be sure to use something like crypto.timingSafeEqual to defend against timing attacks when checking those recovery codes.
回答3:
If you are an administrator, you can update it using the following AWS CLI command:
aws cognito-idp admin-set-user-mfa-preference
For more information, have a look at the documentation.
来源:https://stackoverflow.com/questions/50497388/aws-cognito-reset-user-mfa