Reputation: 4941
Cognito and MFA
We would like for username and password to be asked every time but not the MFA. I see there is an option to remember the device in Cognito. Is it possible that MFA can be prompted less frequently but with the login credentials every time?
If remember device suppresses the MFA prompt, how long does it suppress it for?
Upvotes: 1
Views: 1215
Answers (1)
Reputation: 6133
If remember device suppresses the MFA prompt, how long does it suppress it for?
Till the device is remembered.
Depending upon how you configure Cognito Userpool to remember devices and opting to suppress MFA for remembered devices, the following are the possibilities.
- Always : In this case the user will be presented a MFA only once i.e. the first time they sign in from a new device.
- User Opt In: In this case the user decides if he/she wants the particular device to be remembered or not. (Once remembered, the MFA is suppressed from the same device until the user opts out to remember the device.)
For the SRP flow to work, the client must have the correct deviceKey, deviceGroupKey and randomPasswordKey. If the client doesn't provide this information, then it would be challenged with MFA. If the user uses a browser in incognito mode or clears the LocalStorage, it would be presented with the MFA challenge.
Upvotes: 3
Related Questions
- Flow for authentication when MFA required for user in AWS Cognito
- Setup cognito hosted UI with MFA
- How to ignore MFA Authentication in AWS Cognito
- AWS Cognito Multi-Factor Authentication using the Hosted UI
- How can I disable MFA in aws cognito?
- Cognito authentication and Single Sign On
- Impersonating with MFA enabled
- How to setup the "mfa_setup" challenge on amazon cognito's multi factor authentication?
- AWS Cognito - MFA setup
- Cognito & Two Factor Authentication