Copyright 2017-2018 Jason Ross, All Rights Reserved

Star InactiveStar InactiveStar InactiveStar InactiveStar Inactive
 

Sometimes you go away on vacation, then return to work and realize you've forgotten your password. Typically if you're working for a big company, you contact the IT department and they can help you. They'll usually reset your password and, if you're stuck at the login screen and can't reach your email, they'll tell you what the temporary password is while you're on the phone. That's usually enough to let you log on to your computer once, and immediately change the password to one that only you know.

But what happens if you're using an authentication system that doesn't let administrators reset passwords to a known value, something like, say, Cognito? If you need to reset a password to a known value for a user in a user pool, you've got a problem.

I've spent a lot of time looking for a graceful solution to this problem, only to find that there isn't one. Cognito lets the user or an administrator send a password reminder by email or text, or to initiate the "Forgot Password" process, but if the user has no access to SMS or email then that's where everything grinds to a halt and you end up needing to do the following:

  1. Retrieve all of the standard and custom attributes from the user's Cognito entry in your user pool, i.e.: email, names, phone numbers, etc. Everything!
  2. Delete the user's Cognito entry from your user pool using the AdminDeleteUser API. Yes, I really said delete it. Trust me, it'll (probably) be fine.
  3. Recreate a Cognito entry for the user in the same user pool, using the AdminCreateUser API, but be sure to specify a known password in the TemporaryPassword field. Make sure you set all of the attributes in this call as well.

Once you've done this, your user will receive an email or SMS with their temporary password. It doesn't matter if they can't access email or SMS messages though, because you specified the temporary password, so you can tell them it over the phone. Once they've logged in successfully the user can change their password to something only they know.

I realize this is potentially insecure, but sometimes you need your administrators to be able to do things like this. If you can't trust your own administrators, you've got more serious problems than a few forgotten passwords!