How do I recover a user password in Amazon Cognito?

Resolution

There are two ways to recover a user password in Amazon Cognito:

• Through a verified email or phone number.
• Through a user password through the administrator.

Email or phone number verification

You can use the ForgotPassword API command to recover a user password. The ForgotPassword API command sends a recovery code to a verified email or a verified phone number. The recovery code is valid for one hour. Then, use the ConfirmForgotPassword API command to enter a confirmation code that resets the password.

Note: If you receive errors when running AWS Command Line Interface (AWS CLI) commands, make sure that you’re using the most recent AWS CLI version.

AWS CLI commands:

ForgotPassword

aws cognito-idp forgot-password --client-id 38fjsnc484p94kpqsnet7mpld0 --username jane@example.com

Output:

{
  "CodeDeliveryDetails": {
    "Destination": "j***@e***.com",
    "DeliveryMedium": "EMAIL",
    "AttributeName": "email"
  }
}

ConfirmForgotPassword

aws cognito-idp confirm-forgot-password --client-id 3n4b5urk1ft4fl3mg5e62d9ado --username=diego@example.com --password PASSWORD --confirmation-code CONF_CODE

Note: You must pass --secret-hash in the CLI command if you meet both of the following requirements:

• Your AWS CLI commands have --client-id as a parameter.
• The app client is configured with a secret.

To calculate the secret hash of an app client, see [How do I troubleshoot "Unable to verify secret hash for client

" errors from my Amazon Cognito user pools API?](https://repost.aws/knowledge-center/cognito-unable-to-verify-secret-hash)

Administrator reset

Note: If you're not an administrator, then contact your administrator to complete the following actions.

When you call the AdminResetUserPassword API command, the current password is invalidated, and you must change it. If a user tries to sign in after the API command is called, the app will do the following:

• Get PasswordResetRequiredException back.
• Direct the user to reset the password with the forgot password flow.

Additionally, calling the API results in sending a message to the user with a code to change their password if:

• The user pool has phone verification set up, and
• A verified phone number or email exists for the user.

AWS CLI commands:

AdminResetUserPassword

aws cognito-idp admin-reset-user-password --user-pool-id us-west-2_aaaaaaaaa --username diego@example.com

ConfirmForgotPassword

aws cognito-idp confirm-forgot-password --client-id 3n4b5urk1ft4fl3mg5e62d9ado --username diego@example.com --password PASSWORD --confirmation-code CONF_CODE

AdminSetUserPassword

As the administrator you can also use the AdminSetUserPassword API command to call the user's password in a user pool. The password can be temporary or permanent. If it's temporary, then the user status enters the FORCE_CHANGE_PASSWORD state. When you sign in, the InitiateAuth/AdminInitiateAuth response contains the NEW_PASSWORD_REQUIRED challenge. If you don't sign in before it expires, then you can't sign in, and you must reset the password. After you set a new password, or if the password is permanent, then the user status is set to CONFIRMED.

aws cognito-idp admin-set-user-password --user-pool-id us-west-2_aaaaaaaaa --username diego@example.com --password Hello@123 --permanent

---