amplify-swift icon indicating copy to clipboard operation
amplify-swift copied to clipboard

Published 20 hours ago verified publisher icon aws-amplify

User auth MFA

Open springlo opened this issue 4 years ago • 9 comments

Is it possible with the iOS Amplify framework to enable MFA for the user client side, in pools that have MFA as an option? I haven't been able to find any documentation for this, and im wondering if the only workaround is to call a lambda function instead

springlo avatar Dec 04 '20 08:12 springlo

Hi @springlo - I'm not sure if I understand your question -- you want to enable MFA for the user client side in pools that have MFA as an option? Can you provide an example of what you're trying to do?

Here is our official documentation with regards to MFA: https://docs.amplify.aws/lib/auth/signin/q/platform/ios#multi-factor-authentication

wooj2 avatar Dec 04 '20 19:12 wooj2

@wooj2 I originally raised this question in the discord. When a Cognito user pool is created, it gives you the option to have MFA enabled case by case for users as an option. Right now in my use case, Users sign up by putting their phone number and password in, and then they are prompted whether or not they want to enable MFA for extra security. If I want to enable MFA for them, I have to call a lambda function that uses AWS' boto3 API to enable MFA for the user. Is it possible to enable it for each user client side, or do I have to continue using the lambda function workaround until this is implemented?

AliothP avatar Dec 04 '20 21:12 AliothP

After successful signup with MFA, how do I automatically sign in the user? It would be annoying for the user and costly for the developer to send another SMS for sign-in.

I don't see in the docs how to do this. Is this possible with current amplify?

springlo avatar Dec 05 '20 17:12 springlo

Hi @springlo , After a user successfully signs up with MFA, the user must go through the sign in process again. There is currently no way to automatically sign them in.

Hi @Zenovis , Can you provide more info on which boto3 API you are using in your lambda to enable this?

Thanks!

wooj2 avatar Jan 15 '21 00:01 wooj2

Hey @wooj2,

Im using the cognito-idp boto3 client to enable MFA for the user. The code below is in Python 3.8

class Cognito:
    Client = boto3.client("cognito-idp")
    def UpdateSMSMFAStatusForUser(userAccessToken, newStatus): 
        try:
            Response = Cognito.Client.set_user_mfa_preference(SMSMfaSettings = { 
                "Enabled": newStatus,
                "PreferredMfa": newStatus
            }, AccessToken = userAccessToken)
            if Response["ResponseMetadata"]["HTTPStatusCode"] == 200:
                return True
            else:
                #Failure
                return False
        except Exception as Error:
            #Failure
            return False

User Access Token is acquired by creating an escape hatch to the AWSMobileClient instance in Amplify, even though it is not recommended.

AliothP avatar Jan 15 '21 03:01 AliothP

@Zenovis Thank you for the information. Set user mfa preference is not currently available in the iOS Amplify.Auth. We will take this as a feature request and will update this ticket when we have more information.

royjit avatar Feb 10 '21 04:02 royjit

+1 to be able to modify / check MFA status for a user via SDK. Useful to allow users to enable / disable directly in the application.

euphio avatar May 07 '21 11:05 euphio

This issue is stale because it has been open for 14 days with no activity. Please, provide an update or it will be automatically closed in 7 days.

github-actions[bot] avatar Jun 19 '21 00:06 github-actions[bot]

I'm a little surprised as to why user MFA preference is not available on the framework yet? Cognito has for as long as I can remember provided an optional box for MFA. So that implies there should be some way to enable it. Any idea on how long before this is implemented?

alionthego avatar Aug 26 '21 06:08 alionthego

Wait so is this saying that there is no way to set the preferred MFA method from the mobile client?

So if our app wants to provide MFA support and the user gets to decide whether they want to use SMS or TOTP how do they set that preference from the app?

tylerjames avatar Feb 22 '23 17:02 tylerjames

@tylerjames That is correct. At the moment there is no direct way of setting the user MFA preference. This is being actively worked upon as part of a broader TOTP effort. Having said that, you can still try to implement it yourself using the Escape Hatch and then call the Cognito API directly using the escape hatch client.

harsh62 avatar Mar 02 '23 20:03 harsh62

I'm not sure about the escape hatch business but I was able to do it like this:
First get an accessToken using AWSMobileClient.getTokens() Then use AWSCognitoIdentityProvider like this:

var setting = AWSCognitoIdentityProviderSMSMfaSettingsType() 
setting.enabled = true
setting.preferredMfa = true

var request = AWSCognitoIdentityProviderSetUserMFAPreferenceRequest()
request.accessToken = token
request.smsMfaSettings = setting

AWSCognitoIdentityProvider
    .default()
    .setUserMFAPreference(request)
    // etc

That seemed to do it

(Sorry, I'm still using the older AWS iOS SDK but wanted to see if Amplify had this functionality)

tylerjames avatar Mar 02 '23 21:03 tylerjames

The AWS iOS SDK supports it as you suggested. I was talking about Amplify. In Amplify V2, it is only possible using the escape hatch.

harsh62 avatar Mar 02 '23 21:03 harsh62

Good to know. I'm hoping to upgrade to Amplify sometime in the near future so I'll probably have to come back to this solution anyway

tylerjames avatar Mar 02 '23 21:03 tylerjames

Amplify added support for TOTP MFA in 2.16.0.

harsh62 avatar Aug 29 '23 00:08 harsh62