Allowing Cognito non verified users to sign in?

Question

Suppose a Cognito user forgets to verify their account (Via email) and attempts to sign in. Can they still sign and and can the API check that their account needs to be verified? Also is there an API that can be invoke that will invoke a new verification code?

Also is there a way to detect the edge case where someone signs, but since they did not verify their account, the account gets deleted right after they sign in. So if they try to resend the confirm code, it cannot be done since the account was deleted. Or is there a way to check if a user is signed in, and prohibit the account from getting deleted in this case.

Also if Amazon is going to cleanup / delete an unverified account does it lock it first, such that no one can sign in?

score 5 · Accepted Answer · answered Jul 27 '19 at 06:04

5

You can only sign in if your account has been verified. You can either do this by clicking on the verification link/code or the admin can change user attributes to set email_verified=True and/or phone_number_verified=true. User's verified status is stored in their attriubtes so no additional API call is needed to check if user has verified email/mobile.

You can use ResendConfirmationCode to generate new verification code.

AWS does not delete unverified accounts. You can do it if you need this feature by creating a lambda that will run daily and check if user has been unverified for too long.

answered Jul 27 '19 at 06:04

Ninad Gaikwad

4,272
2
13
23

I was trying to figure out if cognito could handle this type of scenario https://security.stackexchange.com/questions/213715/the-most-secure-way-to-handle-someone-forgetting-to-verify-their-account/213797#213797 – Ole Jul 27 '19 at 06:23
But perhaps, given the ResendConfirmationCode functionality its so rare that it's not really worth worrying about. – Ole Jul 27 '19 at 06:24
3

You could build a lambda that would trigger when user tries to sign in. The lambda would check if user is verified, is he isn't then you can push a message to him telling him to verify his email. You can use this in combination with unauthenticated identity to grant access to some temporary resources till they manage to sign in. – Ninad Gaikwad Jul 27 '19 at 06:38
Ah - Brilliant - Thanks! – Ole Jul 27 '19 at 07:00

score 2 · Answer 2 · answered Jul 28 '19 at 17:35

2

A non-verified user can not signin. Look at the state diagram documented here : https://docs.aws.amazon.com/cognito/latest/developerguide/signing-up-users-in-your-app.html

You app can programmatically confirm users by caling the AdminConfirmSignUp API. https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminConfirmSignUp.html

answered Jul 28 '19 at 17:35

Sébastien Stormacq

14,301
5
41
64

then what is the point of having "No verification required" option in cognito setting? – Shadab Faiz Jul 09 '21 at 05:48

score 0 · Answer 3 · answered Oct 05 '21 at 15:38

0

This is possible using a Pre Sign-up Lambda Trigger to confirm the newly registered account.

AWS documentation includes examples of:

answered Oct 05 '21 at 15:38

Kohanz

1,510
16
35

Allowing Cognito non verified users to sign in?

3 Answers3