What are the effects of turning on the Prevent User Existence Errors setting in Amazon Cognito?

5 minute read
0

I want to learn more about the Prevent User Existence Errors setting in Amazon Cognito.

Short description

User enumeration is a web application vulnerability where a malicious actor uses brute-force techniques to guess or confirm valid users in a system. Amazon Cognito provides a security feature to stop bad actors from finding valid users inside an Amazon Cognito user pool. This security feature is available for the most common areas where user enumeration occurs:

  • User authentication
  • User confirmation
  • Password recovery
  • User registration

Resolution

User authentication

When the user name and password of a nonexistent user are entered, Amazon Cognito responds with an exception named UserNotFoundException. This user existence error explicitly states that the entered user name doesn't exist. Based on this error response, malicious actors can perform a brute-force attack to guess valid users in your user pool.

Turn on the Prevent User Existence Errors setting so that your Amazon Cognito app client returns a generic message for nonexistent user sign-in requests. The generic message says that the user name or password is incorrect. The Prevent User Existence Errors setting helps guard against credential-guessing attacks because the user's existence isn't revealed by the error message.

Sample error response for nonexistent user sign-in attempts

The following are example error responses for nonexistent user sign-in attempts.

$ aws cognito-idp initiate-auth --client-id 12ab34cd56ef78gh91ij23kl45m --auth-flow USER_PASSWORD_AUTH --auth-parameters USERNAME="myuser",PASSWORD="password"

With the Prevent User Existence Errors setting turned off: "An error occurred (UserNotFoundException) when calling the InitiateAuth operation: User does not exist."

With the Prevent User Existence Errors setting turned on: "An error occurred (NotAuthorizedException) when calling the InitiateAuth operation: Incorrect username or password."

User confirmation

When the Prevent User Existence Errors setting is turned on, and a user is deactivated or isn't found, Amazon Cognito returns CodeDeliveryDetails. Code delivery details are returned to users with a simulated delivery medium instead of returning the exception named UserNotFoundException. When a user exists in the user pool, Amazon Cognito sends a confirmation code to the user's existing email address or phone number. The simulated delivery medium is determined by the user name's input format and the user pool's verification settings.

Sample error response for nonexistent user resending confirmation code

The following are sample error responses for resending a confirmation code to a nonexistent user in a user pool:

$ aws cognito-idp resend-confirmation-code --client-id 12ab34cd56ef78gh91ij23kl45m --username "myuser"

With the Prevent User Existence Errors setting turned off: "An error occurred (UserNotFoundException) when calling the ResendConfirmationCode operation: Username/client id combination not found."

With the Prevent User Existence Errors setting turned on, where the email address is random and the delivery medium is simulated:

{
  "CodeDeliveryDetails": {
    "Destination": "n****@g****.com",
    "DeliveryMedium": "Email",
    "AttributeName": "email"
  }
}

Password recovery

When the Prevent User Existence Errors setting is turned on and a user is deactivated, isn't found, or can't recover passwords, Amazon Cognito returns CodeDeliveryDetails. Code delivery details provide a simulated delivery medium for a user instead of returning the exception named UserNotFoundException. The simulated delivery medium is determined by the user name's input format and the user pool's recovery settings.

With code recovery details, you can see that the recovery code is sent to a random simulated email address or phone number. This simulated delivery medium makes it difficult for the attacker to differentiate between users that are valid and that aren't valid.

Amazon Cognito returns CodeDeliveryDetails with a simulated delivery medium in the password reset flow. However, the password reset codes aren't actually sent to the simulated delivery medium. This is a security measure to avoid spamming unverified email addresses and phone numbers.

Sample error response for nonexistent user password recovery

The following are sample error responses for password recovery for users who don't exist in the user pool:

$ aws cognito-idp forgot-password --client-id 12ab34cd56ef78gh91ij23kl45m --username "myuser"

With the Prevent User Existence Errors setting turned off: "An error occurred (UserNotFoundException) when calling the ForgotPassword operation: Username/client id combination not found."

With the Prevent User Existence Errors setting turned on, where the phone number is random and the delivery medium is simulated:

{
  "CodeDeliveryDetails": {
    "Destination": "+*******0874",
    "DeliveryMedium": "SMS",
    "AttributeName": "phone_number"
  }
}

User registration

The SignUp operation returns UsernameExistsException when a user name is already in use. To prevent the UsernameExistsException error for an email address or phone number during sign-up, use verification-based aliases.

A registration succeeds when an email address or phone number is supplied as an alias from a different account that's already in use. When a user tries to confirm an account with this email address or phone number and a valid verification code, the AliasExistsException error is returned. The error indicates to the user that an account with this email address or phone number exists.

Because the user existence error is revealed only after entering a valid code, this process eliminates the potential risk of bad actors identifying valid users. To learn more about verification-based aliases, see User pool attributes and choose the Customizing sign-in attributes tab.

How do I modify the Prevent User Existence Errors setting in Amazon Cognito?

Follow these steps to modify the Prevent User Existence Errors setting:

  1. Sign in to the Amazon Cognito console.
  2. Select an existing user pool from the list.
  3. Choose the App integration section.
  4. Under App clients, select an app client from the list.
  5. Under the App client information section, choose the Edit button.
  6. Scroll to the bottom to find the Prevent user existence errors setting under Advanced security configurations. Select or clear or this option.
  7. Save your changes.

For more information regarding error responses, see Managing error responses.


AWS OFFICIAL
AWS OFFICIALUpdated a year ago