Auth - verify password before enable MFA

[Mowinski]

** Which Category is your question related to? **
Auth and credentials

** What AWS Services are you utilizing? **
Cognito

** Provide additional details e.g. code snippets **
Hi!
I want to give my users new features - MFA Authorization.
If the user logs in to my page, in settings panel he/she is able to activate MFA.
I show popup information with wizard form.
The first step is verification user "what he/she knows" - so I ask about a password.
And there is a problem because amplify doesn't have any method to verify the password. I found a workaround but it is ugly. I just try to set a new password as old password and I check the status of this operation :)

My question, how can I verify user password in a prettier way?

[haverchuck]

@Mowinski - By verify password, I assume you mean having the user enter their password after they've already authenticated. I am going to mark this issue as a feature request (unless my assumption is mistaken), since the Cognito service does not currently offer that functionality (I will verify that with them this week).

[malcomm]

+1 for this. My use case is to verify the user via a password challenge before they can sign a document. (this is also post-authentication).

@haverchuck - Any updates on this?

[jp-23]

@haverchuck - any updates? I am looking to have the logged-in user enter their current password before performing certain actions such as updating their email address, or deleting their account.

[TheSimonLam]

@haverchuck Hey, I'm also trying to use this feature!
I'm trying to change a user's email after verifying it's their account by using a password.
Please let us know how it's going :)

[john-nexkey]

Currently vetting the workaround detailed by @Mowinski and wanted to document some findings as I am leaning toward this being a viable path for the use-case described by @jp-23. The workaround, for reference:

I found a workaround but it is ugly. I just try to set a new password as old password and I check the status of this operation :)

Although not ideal (clearly verifyPassword would be ideal), this approach and any perceived side-effects appear to be benign. Wondering if anyone else has found otherwise? I was hoping that setting the same password would yield an exception instead of a 200 response with a corresponding update to the Last Modified date, when in fact the change was inconsequential.

Another oddity is that the Audit Log shows password change events in a perpetual state of In Progress.

My tests, for reference:

// (bad,bad) password test (weak pw, for example foo)
=> Auth.changePassword(user, "foo", "foo");
// RESPONSE => 400 / {code: "InvalidParameterException", name: "InvalidParameterException", message: "2 validation errors detected: Value at 'previousPa…ember must have length greater than or equal to 6"}

// (bad,bad) password test (strong pw, for example yVGm=?Y)&-)[G3FU)
=> Auth.changePassword(user, "yVGm=?Y)&-)[G3FU", "yVGm=?Y)&-)[G3FU");
// RESPONSE => 400 / {code: "NotAuthorizedException", name: "NotAuthorizedException", message: "Incorrect username or password."}

// (good,good) password test
=> Auth.changePassword(user, "CORRECT_PASSWORD", "CORRECT_PASSWORD");
// RESPONSE => 200 / {}

// (good,"")
=> Auth.changePassword(user, "CORRECT_PASSWORD", ""); 
// RESPONSE => 400 / {code: "InvalidParameterException", name: "InvalidParameterException", message: "2 validation errors detected: Value at 'proposedPa…atisfy regular expression pattern: ^[\S]+.*[\S]+$"}

// (good,null)
=> Auth.changePassword(user, "CORRECT_PASSWORD", null);
// RESPONSE => 400 / {code: "InvalidParameterException", name: "InvalidParameterException", message: "1 validation error detected: Value at 'proposedPas…ed to satisfy constraint: Member must not be null"}

[codercodingthecode]

With 2FA usage increase, this should most definitely be a feature.

[gabrielmaldi]

It's very important to verify a user's password via a challenge before changing any MFA settings. Otherwise, if the user leaves his computer unattended for a moment, anyone can enable a new 2FA device and lock him out of his account.

[dilan-dio4]

@gabrielmaldi use the workaround described by @john-nexkey for now. It's pretty annoying that this feature isn't available at this point. The amplify team is obviously aware that this should be available, I imagine they see potential security flaws from client apps.

Also, manually trigging an MFA verification event should be implemented as well.

[jp-23]

@haverchuck - is there a repo for Cognito where I can submit this request? It sounds like the Cognito service first needs to provide this functionality right?

[cwomack]

Closing this issue down as a duplicate of #1582. Please follow that issue for updates on progress for this feature. request.