I am using cognito for auth and for account recovery I have selected below option
(Not Recommended) Phone if available, otherwise email, and do allow a user to reset their password via phone if they are also using it for MFA.
And whenever a user is getting created I am setting phone number as verified so both email and phone number will be in the verified status .
I am trying to send the OTP to both email and phone number for a specific app client
Right now its going only to phone number if the number is verified
Related
We are using Congnito hosted and users are clicking the "Forgot Password" option, entering their email which does not exist as a user, but then still being told to check their email for a reset code that never appears.
Is there any ways to change the messaging or send an email with instructions on creating a new account?
I use firebase authentication for my web app with three providers: email-password, google, or facebook. I have enabled the option "One account per email address".
When a user signs up using email-password (with a gmail address), then later uses google sign-in, I expect to receive an exception "auth/account-exists-with-different-credential", but I do not. His providerId is changed to google.com and he cannot use his password anymore (throws "auth/wrong-password").
Is this normal behaviour?
Firebase Authentication has a concept of a preferred provider for certain email addresses. The most common one is that google.com is the preferred provider for #gmail.com addresses, but I think they also exist for Facebook and Microsoft accounts.
If an existing account later signs up again from a preferred provider, that provider overwrites the existing user account. There is no way to change this behavior (that I know of).
Also see:
Github issue Facebook provider overwritten by Google provider
Mailing list Firebase Social Authentication Issue with fb and gmail flow
Authentication using Facebook at first and then Google causes an error in Firebase for Android
This is how I'm solving it:
https://firebase.google.com/docs/auth/android/account-linking
Just link the "accounts".
Update 2023:
You can now choose if you want to allow 'User account linking'. For example, if you don't allow multiple accounts with the same email address, a user cannot create a new account that signs in using a Google Account with the email address ex#gmail.com if there already is an account that signs in using the email address ex#gmail.com and a password.
If you do allow multiple accounts with the same email address, your app's sign-in flow cannot rely on an email address to identify a user account.
You can find this under settings within Firebase Authentication.
There are some caveats to using this feature, please read about it here
I'm working on building a mobile / web app and would like to utilize AWS Cognito for authentication.
I wanted to do a Proof Of concept before implementing it completely. As part of that, I have setup a user pool and used Amplify to Signup, SignIn users.
As part of Sign up I was able to verify the user using verification code to either a phone (or) email.
Also as part of Sign In, I received the MFA tokens in my phone/email and validated the MFA before logging in.
My question is, I would like to differentiate email/phone verification methodology(SignUp) vs MFA Token methodology(SignIn).
Is it possible to verify user email via a verification link (SignUp) and utilize token based MFA for SignIn ?
I tried changing the user pool MFA message from code to link. I m getting a verification link in my email, however I m not getting an MFA - because I have used email as my verification method.
Per the documentation, email verification doesn't trigger MFA as part of SignIn.
In your user pool, if you have selected both email and phone as required,phone is given more priority. At the time of sign up and sign in, you are just given a MFA code via sms but not email.
But if you want to use Email for sign up and phone MFA sms code for signing in, please read this-
You need to call 3 methods(GetUser,GetUserAttributeVerificationCode and VerifyUserAttribute) from the AWS SDK to verify the other attribute.
Referfence Article - AWS Docs
Hope it helps.
Under contact info there's the required field for phone number, but some country calling codes are missing.
How can I verify my product if I'm from Estonia?
I was sent this link to verify a project last year and only now got around to it
https://support.google.com/code/contact/oauth_app_verification
I want to verify a Moodle website so uploading files from Google Drive to Moodle wouldn't give unverified app message
I want to allow users to both sign in and sign up only with an email address and without entering passwords using Parse in a similar way to how Medium does it where an email is sent with a deep-link that logs in the user into the IOS app without a password. How can I do this on Parse?