It's possible to change email without confirmation code

[KamilSucharski]

Before opening, please confirm:

• I have searched for duplicate or closed issues and discussions.

Language and Async Model

RxJava

Amplify Categories

Authentication

Gradle script dependencies

implementation 'com.amplifyframework:core:2.29.1'
implementation 'com.amplifyframework:aws-auth-cognito:2.29.1'
implementation 'com.amplifyframework:rxbindings:2.29.1'
coreLibraryDesugaring 'com.android.tools:desugar_jdk_libs:2.1.5'

Environment information

Welcome to Gradle 8.14.2!

Here are the highlights of this release:
 - Java 24 support
 - GraalVM Native Image toolchain selection
 - Enhancements to test reporting
 - Build Authoring improvements

For more details see https://docs.gradle.org/8.14.2/release-notes.html


------------------------------------------------------------
Gradle 8.14.2
------------------------------------------------------------

Build time:    2025-06-05 13:32:01 UTC
Revision:      30db2a3bdfffa9f8b40e798095675f9dab990a9a

Kotlin:        2.0.21
Groovy:        3.0.24
Ant:           Apache Ant(TM) version 1.10.15 compiled on August 25 2024
Launcher JVM:  21.0.6 (JetBrains s.r.o. 21.0.6+-13391695-b895.109)
Daemon JVM:    D:\Programs\Android\Android Studio\jbr (no JDK specified, using current Java home)
OS:            Windows 11 10.0 amd64

Please include any relevant guides or documentation you're referencing

No response

Describe the bug

When I run the below code, I first get:

AuthUpdateAttributeResult{isUpdated=false, nextStep=AuthNextUpdateAttributeStep{updateAttributeStep=CONFIRM_ATTRIBUTE_WITH_CODE, additionalInfo={}, codeDeliveryDetails=AuthCodeDeliveryDetails{destination='***@***', deliveryMedium=EMAIL, attributeName='email'}}}

Which is expected, as I should navigate to another screen to enter the confirmation code. But if the user triggers it again with the same data (for example, after clicking the back button), then the SDK returns a different result:

AuthUpdateAttributeResult{isUpdated=true, nextStep=AuthNextUpdateAttributeStep{updateAttributeStep=DONE, additionalInfo={}, codeDeliveryDetails=null}}

Which means the user has bypassed the confirmation code, and forced the new email to be accepted, simply by running the same method twice.

Reproduction steps (if applicable)

No response

Code Snippet

RxAmplify
    .Auth
    .updateUserAttribute(
        AuthUserAttribute(
            AuthUserAttributeKey.email(),
            email
        )
     )
    .map { result ->
        // Result handling
    }

Log output

No response

Configuration File

No response

GraphQL Schema

No response

Additional information and screenshots

No response

[tylerjroach]

Hi @KamilSucharski. I believe you have disabled email attribute verification, which allows for immediate (unverified) email address changes.

From the Amazon Cognito console side bar, go to Authentication -> Sign-up. Then click "Edit" on the "Attribute verification and user account confirmation" section. Observe the "Verifying attribute changes" section. I expect to see that you have "Keep original attribute value active when an update is pending - Recommended" disabled (unchecked). You will want to enable this and make sure "Email address" is selected.

What is happening on the client side is that you are updating the user's email address with the first updateUserAttribute call. You can confirm this by viewing the user in the Cognito console. Here you should see the new email address shown, but unverified. On your second call, Cognito is confirming that the email address already matches the call provided. Within the Cognito console, you should confirm that the email address is still "unverified". The verification email is only sent once.

Please see the Cognito documentation on this for more information: https://docs.aws.amazon.com/cognito/latest/developerguide/signing-up-users-in-your-app.html#verifying-when-users-change-their-email-or-phone-number