Passwordless Sign-In method with email + OTP response is inconsistent for different emails

[shashanksrajak]

Before opening, please confirm:

• I have searched for duplicate or closed issues and discussions.
• I have read the guide for submitting bug reports.
• I have done my best to include a minimal, self-contained set of instructions for consistently reproducing the issue.

JavaScript Framework

Next.js

Amplify APIs

Authentication

Amplify Version

v6

Amplify Categories

auth

Backend

Amplify Gen 2

Environment information

  System:
    OS: macOS 15.1.1
    CPU: (8) arm64 Apple M1
    Memory: 139.59 MB / 8.00 GB
    Shell: 5.9 - /bin/zsh
  Binaries:
    Node: 20.9.0 - /usr/local/bin/node
    Yarn: 1.22.19 - /usr/local/bin/yarn
    npm: 10.1.0 - /usr/local/bin/npm
    Watchman: 2024.10.28.00 - /opt/homebrew/bin/watchman
  Browsers:
    Chrome: 132.0.6834.162
    Safari: 18.1.1
  npmPackages:
    %name%:  0.1.0 
    @ampproject/toolbox-optimizer:  undefined ()
    @aws-amplify/adapter-nextjs: ^1.4.2 => 1.4.2 
    @aws-amplify/adapter-nextjs/api:  undefined ()
    @aws-amplify/adapter-nextjs/data:  undefined ()
    @aws-amplify/backend: ^1.14.0 => 1.14.0 
    @aws-amplify/backend-cli: ^1.4.9 => 1.4.9 
    @aws-sdk/client-cognito-identity-provider: ^3.741.0 => 3.741.0 
    @babel/core:  undefined ()
    @babel/runtime:  7.22.5 
    @clerk/nextjs: ^6.10.4 => 6.10.4 
    @edge-runtime/cookies:  6.0.0 
    @edge-runtime/ponyfill:  4.0.0 
    @edge-runtime/primitives:  6.0.0 
    @eslint/eslintrc: ^3 => 3.2.0 
    @hapi/accept:  undefined ()
    @hookform/resolvers: ^3.10.0 => 3.10.0 
    @hookform/resolvers/ajv:  1.0.0 
    @hookform/resolvers/arktype:  2.0.0 
    @hookform/resolvers/class-validator:  1.0.0 
    @hookform/resolvers/computed-types:  1.0.0 
    @hookform/resolvers/effect-ts:  1.0.0 
    @hookform/resolvers/fluentvalidation-ts:  1.0.0 
    @hookform/resolvers/io-ts:  1.0.0 
    @hookform/resolvers/joi:  1.0.0 
    @hookform/resolvers/nope:  1.0.0 
    @hookform/resolvers/superstruct:  1.0.0 
    @hookform/resolvers/typanion:  1.0.0 
    @hookform/resolvers/typebox:  1.0.0 
    @hookform/resolvers/typeschema:  1.0.0 
    @hookform/resolvers/valibot:  1.0.0 
    @hookform/resolvers/vest:  1.0.0 
    @hookform/resolvers/vine:  1.0.0 
    @hookform/resolvers/yup:  1.0.0 
    @hookform/resolvers/zod:  1.0.0 
    @mswjs/interceptors:  undefined ()
    @napi-rs/triples:  undefined ()
    @next/font:  undefined ()
    @next/swc-darwin-arm64:  15.1.6 
    @opentelemetry/api:  undefined ()
    @prisma/client: ^6.3.0 => 6.3.0 
    @radix-ui/react-avatar: ^1.1.2 => 1.1.2 
    @radix-ui/react-collapsible: ^1.1.2 => 1.1.2 
    @radix-ui/react-dialog: ^1.1.5 => 1.1.5 
    @radix-ui/react-dropdown-menu: ^2.1.5 => 2.1.5 
    @radix-ui/react-label: ^2.1.1 => 2.1.1 
    @radix-ui/react-select: ^2.1.5 => 2.1.5 
    @radix-ui/react-separator: ^1.1.1 => 1.1.1 
    @radix-ui/react-slot: ^1.1.1 => 1.1.1 
    @radix-ui/react-tooltip: ^1.1.7 => 1.1.7 
    @types/aws-lambda: ^8.10.147 => 8.10.147 
    @types/jsonwebtoken: ^9.0.8 => 9.0.8 
    @types/node: ^20 => 20.17.16 
    @types/react: ^19 => 19.0.8 
    @types/react-dom: ^19 => 19.0.3 
    @vercel/nft:  undefined ()
    @vercel/og:  0.6.4 
    acorn:  undefined ()
    amphtml-validator:  undefined ()
    anser:  undefined ()
    assert:  undefined ()
    async-retry:  undefined ()
    async-sema:  undefined ()
    aws-amplify: ^6.12.2 => 6.12.2 
    aws-amplify/adapter-core:  undefined ()
    aws-amplify/analytics:  undefined ()
    aws-amplify/analytics/kinesis:  undefined ()
    aws-amplify/analytics/kinesis-firehose:  undefined ()
    aws-amplify/analytics/personalize:  undefined ()
    aws-amplify/analytics/pinpoint:  undefined ()
    aws-amplify/api:  undefined ()
    aws-amplify/api/server:  undefined ()
    aws-amplify/auth:  undefined ()
    aws-amplify/auth/cognito:  undefined ()
    aws-amplify/auth/cognito/server:  undefined ()
    aws-amplify/auth/enable-oauth-listener:  undefined ()
    aws-amplify/auth/server:  undefined ()
    aws-amplify/data:  undefined ()
    aws-amplify/data/server:  undefined ()
    aws-amplify/datastore:  undefined ()
    aws-amplify/in-app-messaging:  undefined ()
    aws-amplify/in-app-messaging/pinpoint:  undefined ()
    aws-amplify/push-notifications:  undefined ()
    aws-amplify/push-notifications/pinpoint:  undefined ()
    aws-amplify/storage:  undefined ()
    aws-amplify/storage/s3:  undefined ()
    aws-amplify/storage/s3/server:  undefined ()
    aws-amplify/storage/server:  undefined ()
    aws-amplify/utils:  undefined ()
    aws-cdk: ^2.177.0 => 2.177.0 
    aws-cdk-lib: ^2.177.0 => 2.177.0 
    babel-packages:  undefined ()
    browserify-zlib:  undefined ()
    browserslist:  undefined ()
    buffer:  undefined ()
    bytes:  undefined ()
    ci-info:  undefined ()
    class-variance-authority: ^0.7.1 => 0.7.1 
    cli-select:  undefined ()
    client-only:  0.0.1 
    clsx: ^2.1.1 => 2.1.1 
    commander:  undefined ()
    comment-json:  undefined ()
    compression:  undefined ()
    conf:  undefined ()
    constants-browserify:  undefined ()
    constructs: ^10.4.2 => 10.4.2 
    content-disposition:  undefined ()
    content-type:  undefined ()
    cookie:  undefined ()
    cross-spawn:  undefined ()
    crypto-browserify:  undefined ()
    css.escape:  undefined ()
    data-uri-to-buffer:  undefined ()
    debug:  undefined ()
    devalue:  undefined ()
    domain-browser:  undefined ()
    edge-runtime:  undefined ()
    esbuild: ^0.24.2 => 0.24.2 (0.23.1)
    eslint: ^9 => 9.19.0 
    eslint-config-next: 15.1.6 => 15.1.6 
    events:  undefined ()
    find-up:  undefined ()
    fresh:  undefined ()
    glob:  undefined ()
    gzip-size:  undefined ()
    http-proxy:  undefined ()
    http-proxy-agent:  undefined ()
    https-browserify:  undefined ()
    https-proxy-agent:  undefined ()
    icss-utils:  undefined ()
    ignore-loader:  undefined ()
    image-size:  undefined ()
    input-otp: ^1.4.2 => 1.4.2 
    is-animated:  undefined ()
    is-docker:  undefined ()
    is-wsl:  undefined ()
    jest-worker:  undefined ()
    jose: ^5.9.6 => 5.9.6 
    json5:  undefined ()
    jsonwebtoken: ^9.0.2 => undefined (9.0.2, )
    loader-runner:  undefined ()
    loader-utils:  undefined ()
    lodash.curry:  undefined ()
    lru-cache:  undefined ()
    lucide-react: ^0.474.0 => 0.474.0 
    mini-css-extract-plugin:  undefined ()
    motion: ^12.0.6 => 12.0.6 
    nanoid:  undefined ()
    native-url:  undefined ()
    neo-async:  undefined ()
    next: 15.1.6 => 15.1.6 
    next-themes: ^0.4.4 => 0.4.4 
    node-fetch:  undefined ()
    node-html-parser:  undefined ()
    ora:  undefined ()
    os-browserify:  undefined ()
    p-limit:  undefined ()
    p-queue:  undefined ()
    path-browserify:  undefined ()
    path-to-regexp:  undefined ()
    picomatch:  undefined ()
    platform:  undefined ()
    postcss: ^8 => 8.5.1 (8.4.31)
    postcss-flexbugs-fixes:  undefined ()
    postcss-modules-extract-imports:  undefined ()
    postcss-modules-local-by-default:  undefined ()
    postcss-modules-scope:  undefined ()
    postcss-modules-values:  undefined ()
    postcss-preset-env:  undefined ()
    postcss-safe-parser:  undefined ()
    postcss-scss:  undefined ()
    postcss-value-parser:  undefined ()
    prisma: ^6.3.0 => 6.3.0 
    process:  undefined ()
    punycode:  undefined ()
    querystring-es3:  undefined ()
    raw-body:  undefined ()
    react: ^19.0.0 => 19.0.0 (18.3.1)
    react-builtin:  undefined ()
    react-dom: ^19.0.0 => 19.0.0 (18.3.1)
    react-dom-builtin:  undefined ()
    react-dom-experimental-builtin:  undefined ()
    react-experimental-builtin:  undefined ()
    react-hook-form: ^7.54.2 => 7.54.2 
    react-is:  19.0.0-rc-65e06cb7-20241218 
    react-refresh:  0.12.0 
    react-server-dom-turbopack-builtin:  undefined ()
    react-server-dom-turbopack-experimental-builtin:  undefined ()
    react-server-dom-webpack-builtin:  undefined ()
    react-server-dom-webpack-experimental-builtin:  undefined ()
    react-top-loading-bar: ^3.0.2 => 3.0.2 
    regenerator-runtime:  0.13.4 
    sass-loader:  undefined ()
    scheduler-builtin:  undefined ()
    scheduler-experimental-builtin:  undefined ()
    schema-utils:  undefined ()
    semver:  undefined ()
    send:  undefined ()
    server-only: ^0.0.1 => 0.0.1 
    setimmediate:  undefined ()
    shell-quote:  undefined ()
    sonner: ^1.7.4 => 1.7.4 
    source-map:  undefined ()
    source-map08:  undefined ()
    stacktrace-parser:  undefined ()
    stream-browserify:  undefined ()
    stream-http:  undefined ()
    string-hash:  undefined ()
    string_decoder:  undefined ()
    strip-ansi:  undefined ()
    superstruct:  undefined ()
    tailwind-merge: ^2.6.0 => 2.6.0 
    tailwindcss: ^3.4.1 => 3.4.17 
    tailwindcss-animate: ^1.0.7 => 1.0.7 
    tar:  undefined ()
    terser:  undefined ()
    text-table:  undefined ()
    timers-browserify:  undefined ()
    ts-node: ^10.9.2 => 10.9.2 
    tsx: ^4.19.2 => 4.19.2 
    tty-browserify:  undefined ()
    typescript: ^5.7.3 => 5.7.3 (4.4.4, 4.9.5)
    ua-parser-js:  undefined ()
    unistore:  undefined ()
    util:  undefined ()
    vm-browserify:  undefined ()
    watchpack:  undefined ()
    web-vitals:  undefined ()
    webpack:  undefined ()
    webpack-sources:  undefined ()
    ws:  undefined ()
    zod: ^3.24.1 => 3.24.1 (3.23.8, )
    zod-validation-error:  undefined ()
  npmGlobalPackages:
    @aws-amplify/cli: 10.0.0
    @nestjs/cli: 10.1.17
    @sanity/cli: 3.10.0
    corepack: 0.20.0
    eas-cli: 12.6.2
    expo-cli: 5.4.9
    firebase-tools: 13.23.1
    gulp: 4.0.2
    nextui-cli: 0.2.0
    nodemon: 2.0.15
    npm: 10.1.0
    serverless: 3.22.0
    typescript: 4.9.5
    yarn: 1.22.19

Describe the bug

I am using Amplify Auth for Passworldless sign in with Email and OTP. My user pool does not have any users and then I tried sign in with different emails, and I got inconsistent responses. For few emails it sent back
{ "isSignedIn": false, "nextStep": { "signInStep": "CONTINUE_SIGN_IN_WITH_FIRST_FACTOR_SELECTION", "availableChallenges": [ "PASSWORD_SRP", "PASSWORD", "WEB_AUTHN" ] } }

But strangely, I tried one email of mine and this email is not present in the user pool but, it gave back this response

{ "isSignedIn": false, "nextStep": { "signInStep": "CONFIRM_SIGN_IN_WITH_EMAIL_CODE", "codeDeliveryDetails": { "deliveryMedium": "EMAIL", "destination": "s***@o***" } } }

This response comes when an OTP has been sent to the email, but this email did not receive any OTP on trying multiple times. Why this response is coming for an email which is not registered in this user pool. It should have given an error for non existent users. Also, for other emails not present in the user pool, it is giving the first response above.

Why is this inconsistent behavior present? I am not going to use it for production as of now.

Expected behavior

In case of email not present in the user pool, the Sign In method should have thrown an error.

Reproduction steps

1. Use Passwordless sign in with email and otp.
2. Try with emails not present in the user pool.

Code Snippet

Here is my code


const handleSignIn = async (e: React.FormEvent<HTMLFormElement>) => {
    e.preventDefault();
    const form = e.target as HTMLFormElement;
    const email = (form.elements.namedItem("email") as HTMLInputElement).value;

    try {
      const response = await signIn({
        username: email,
        options: {
          authFlowType: "USER_AUTH",
          preferredChallenge: "EMAIL_OTP",
        },
      });

      console.log("nextStep", response);

      if (response.nextStep.signInStep === "CONFIRM_SIGN_IN_WITH_EMAIL_CODE") {
        router.push(
          `/auth/sign-in/verify?email=${email}&redirectURL=${redirectURL}`
        );
      }
    } catch (error) {
      console.error(error);
      toast.error("An error occurred. Please try again.");
    }
  };

Log output

// Put your logs below this line

aws-exports.js

No response

Manual configuration

No response

Additional configuration

No response

Mobile Device

No response

Mobile Operating System

No response

Mobile Browser

No response

Mobile Browser Version

No response

Additional information and screenshots

No response

[HuiSF]

Hi @shashanksrajak thanks for reporting this issue, we will investigate.

[jjarvisp]

Hi @shashanksrajak, thanks for opening this issue!

The behavior you're describing is designed to prevent user enumeration in your user pool; i.e. a third party cannot identify existing vs nonexisting users based on the response received. Here's some more information about user existence errors from Cognito.

This feature can be toggled off in your user pool client settings by disabling the "Prevent user existence errors" setting. With this disabled, your application will receive a 400 response from Cognito and Amplify will surface a UserNotFoundException. This should produce consistent behavior for nonexistent email addresses.

Also, could you share some more details about your user pool configuration? Do you have just Email OTP and Password as available sign in choices? Do you have other required attributes for sign up other than email?

[jjarvisp]

Hey @shashanksrajak, was the information provided helpful or have you encountered any additional obstacles implementing passwordless?