amplify-js: Setting device as remembered does not suppress MFA challenge

Before opening, please confirm:

JavaScript Framework

Angular

Amplify APIs

Authentication

Amplify Categories

auth

Environment information

# Put output below this line

  System:
    OS: Linux 5.11 Ubuntu 20.04.2 LTS (Focal Fossa)
    CPU: (16) x64 AMD Ryzen 7 3700X 8-Core Processor
    Memory: 18.36 GB / 31.27 GB
    Container: Yes
    Shell: 5.0.17 - /bin/bash
  Binaries:
    Node: 14.17.0 - ~/.nvm/versions/node/v14.17.0/bin/node
    npm: 6.14.13 - ~/.nvm/versions/node/v14.17.0/bin/npm
  Browsers:
    Chrome: 94.0.4606.61
    Firefox: 92.0
  npmGlobalPackages:
    npm: 6.14.13
    sequelize-cli: 6.2.0
    typescript: 4.3.5

Describe the bug

Marking the device as remembered (while MFA is enabled for that user) does not suppress the MFA challenge on the next login. The user is prompted to register the event to “remember” the device twice before the MFA is skipped in two consecutive login operations. Related issue: https://github.com/aws-amplify/amplify-js/issues/932

Expected behavior

After the user makes the corresponding MFA setup with TOPT and remember the current device (and it can be listed as remembered), in subsequent logins the user should not need to enter a 2FA code

Reproduction steps

  • Login with your credentials
  • Setup MFA
  • Logout
  • Log-in & remember your device
  • Your device is correctly listed in the devices table
  • Logout
  • If you try to login again, you will be asked for a TOTP code again although this device is remembered

Code Snippet

I am attaching a small PoC with some test users https://github.com/franquitt/aws-amplify-angular which has the following characteristics:

  • It has linked a pool with 30 users to test this behavior
  • It has the description of the pool (result of the command aws cognito-idp describe-user-pool)
  • LogIn
  • Setup for MFA with software token
  • List remembered devices
  • Remember the device when logging in
  • Delete current device
  • Remove the user’s MFA config

About this issue

  • Original URL
  • State: closed
  • Created 3 years ago
  • Comments: 16 (8 by maintainers)

Most upvoted comments

Just wanted to comment on that since no one mentioned their fix to work around this + it still happens.

Looks like this is a device state management bug in cognito backend.

To understand this let’s look at different case - Let’s assume you have remembered device before enabling MFA. Once user enables MFA the code will be required in the first login. So the flow is:

  1. User logs in with MFA disabled, and remembers device in cognito.
  2. User enables MFA
  3. User logs in and code is required.
  4. MFA is not required in the consecutive login attempts.

This is expected because MFA triggers device re-verification.

The case described in this issue is slightly different:

  1. User logs in with MFA disabled, and DOES NOT remember device in cognito (but it’s tracked now).
  2. User enables MFA.
  3. User logs in and code is required and device is remembered.
  4. User logs in with that device and gets MFA challenge unexpectedly.

Looks like first MFA trigger does not mark device as remembered and “confirmed after enabling MFA” hence second MFA challenge.

We found out that remembering device after successful login in the case where user does not have MFA enabled fixes that flow. AFAIK there is no security implication of remembering that device because MFA is triggered on the first login after enabling MFA anyway. One thing to remember is to mark device as “not_remembered” if user haven’t checked “remember device” once you confirm it with MFA.

+1
domol on Jun 16, 2023

Hi @amar-finfare - this means if you are using the HostedUI for social sign in https://docs.amplify.aws/lib/auth/social/q/platform/js/

+1
abdallahshaban557 on Jan 18, 2023

I’m having the same issue.

@ashika01 @venkateshCorezi Any feedback here?

+1
samuelcastro on May 6, 2022

Hi @ashika01 ! I’m not sure what you mean, were you able to build my repo project locally? I put the generic steps in the ticket description, and these relate almost directly to the calls of these methods:

this.mfaUser = await Auth.signIn (this.username, this.password);
this.secretCode = await Auth.setupTOTP(this.mfaUser)
await Auth.verifyTotpToken(this.mfaUser, this.mfaPinSetup)
await Auth.setPreferredMFA(this.mfaUser, 'TOTP');
await Auth.rememberDevice(); // results in 'SUCCESS'
await Auth.signOut()
this.mfaUser = await Auth.signIn(this.username, this.password); 
/* It should log in correctly on this device that has been
saved correctly, however it generates a challenge SOFTWARE_TOKEN_MFA */

The code is at https://github.com/franquitt/aws-amplify-angular/blob/main/src/app/app.component.ts. Let me know if there is another way I can help you! Have a great day

+1
franquitt on Oct 19, 2021

Hi @franquitt , I pulled your sample and run it. To understand the exact issue, I might have to build a replica of your flow to find the issue you are facing. Could you maybe share order of your Amplify calls?

+1
ashika01 on Oct 19, 2021

Hey Franquitt, thanks for opening this issue. I am going to take a look

+1
evcodes on Oct 1, 2021
Read more comments on GitHub
← amplify-js: S3Object doesn't upload file from client
amplify-js: Sign In with Apple failure →