amazon-web-servicesamazon-cognito

AWS Cognito fails to resetPassword() for verified email


I'm having an issue with Cognito from AWS. After creating new identity and user pools for, and registering them for MFA (email), I cannot use the "resetPassword" functionality. It does not work even from the console, when I click onto the user and try to manually reset their password from the AWS GUI, I get this error message:

Cannot reset password for the user as there is no registered/verified email or phone_number

However, I've checked multiple times and the email is verified, I see this displayed in the console:

enter image description here

I also see email_verified: true when I query AWS directly with aws cognito-idp. I've also gone through the signIn process with this account, and encountered no errors. I can also receive MFA confirmation codes and they work. resetPassword is the one thing that does not seem to work.

However, no matter what I do I keep getting an error that there is no "registered/verified email or phone_number". phone_number isn't required anywhere in my user or identity pool.

For what it's worth, we use Amazon SES for delivering the MFA codes, and it's how I'd expect to receive an email containing "reset password" instructions.

Any help would be appreciated, thanks.


Solution

  • It turns out that the `phone_number` and `phone_number_verified` were both required by my user pool. From the AWS docs:

    For example, users can’t set up email MFA when your recovery option is Email only. This is because you can't enable email MFA and set the recovery option to Email only in the same user pool. When you set this option to Email if available, otherwise SMS, email is the priority recovery option but your user pool can fall back to SMS message when a user isn't eligible for email-message recovery.

    Ultimately the problem was that you cannot have MFA with email only and have it be the only recovery option. SMS is required in those cases.

    Source: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-mfa.html