Manage passwords

Amplify Auth provides a secure way for your users to change their password or recover a forgotten password.

Understand password default settings

By default, your users can retrieve access to their accounts if they forgot their password by using either their phone or email. The following are the default account recovery methods used when either phone or email are used as login options.

Login option	User account verification channel
`phone`	Phone Number
`email`	Email
`email` and `phone`	Email

Reset Password

To reset a user's password, use the resetPassword API which will send a reset code to the destination (e.g. email or SMS) based on the user's settings.

func resetPassword(username: String) async {
        let resetResult = try await Amplify.Auth.resetPassword(for: username)
        switch resetResult.nextStep {
            case .confirmResetPasswordWithCode(let deliveryDetails, let info):
                print("Confirm reset password with code send to - \(deliveryDetails) \(String(describing: info))")
            case .done:
                print("Reset completed")
    } catch let error as AuthError {
        print("Reset password failed with error \(error)")
    } catch {
        print("Unexpected error: \(error)")

func resetPassword(username: String) -> AnyCancellable {
    Amplify.Publisher.create {
            try await Amplify.Auth.resetPassword(for: username)
        }.sink {
            if case let .failure(authError) = $0 {
                print("Reset password failed with error \(authError)")
        receiveValue: { resetResult in
            switch resetResult.nextStep {
            case .confirmResetPasswordWithCode(let deliveryDetails, let info):
                print("Confirm reset password with code send to - \(deliveryDetails) \(String(describing: info))")
            case .done:
                print("Reset completed")

Usually, resetting the password require you to verify that it is the actual user that tried to reset the password. The next step above will be .confirmResetPasswordWithCode.

If you would like to display a more specific view or messaging to your users based the error that occurred, you can handle this by downcasting the underlyingError to AWSCognitoAuthError.

if let authError = error as? AuthError,
    let cognitoAuthError = authError.underlyingError as? AWSCognitoAuthError {
    switch cognitoAuthError {
    case .userNotFound:
        print("User not found")
    case .invalidParameter:
        print("Invalid Parameter)
    default:
        break

To complete the password reset process, invoke the confirmResetPassword API with the code your user received and the new password they want to set.

func confirmResetPassword(
    username: String,
    newPassword: String,
    confirmationCode: String
        try await Amplify.Auth.confirmResetPassword(
            for: username,
            with: newPassword,
            confirmationCode: confirmationCode
        print("Password reset confirmed")
    } catch let error as AuthError {
        print("Reset password failed with error \(error)")
    } catch {
        print("Unexpected error: \(error)")

func confirmResetPassword(
    username: String,
    newPassword: String,
    confirmationCode: String
) -> AnyCancellable {
    Amplify.Publisher.create {
        try await Amplify.Auth.confirmResetPassword(
            for: username,
            with: newPassword,
            confirmationCode: confirmationCode
    }.sink {
        if case let .failure(authError) = $0 {
            print("Reset password failed with error \(authError)")
    receiveValue: {
        print("Password reset confirmed")

Update password

You can update a signed in user's password using the updatePassword API.

func changePassword(oldPassword: String, newPassword: String) async {
        try await Amplify.Auth.update(oldPassword: oldPassword, to: newPassword)
        print("Change password succeeded")
    } catch let error as AuthError {
        print("Change password failed with error \(error)")
    } catch {
        print("Unexpected error: \(error)")

func changePassword(oldPassword: String, newPassword: String) -> AnyCancellable {
    Amplify.Publisher.create {
            try await Amplify.Auth.update(oldPassword: oldPassword, to: newPassword)
        }.sink {
            if case let .failure(authError) = $0 {
                print("Change password failed with error \(authError)")
        receiveValue: {
            print("Change password succeeded")

Override default user account verification channel

You can always change the channel used by your authentication resources by overriding the following setting.

amplify/auth/resource.ts
import { defineAuth } from '@aws-amplify/backend';
export const auth = defineAuth({
  loginWith: {
    email: true
  accountRecovery: 'EMAIL_ONLY'

Override default password policy

You can customize the password format acceptable by your auth backend. By default your password policy is set to the following:

MinLength: 8 characters
requireLowercase: true
requireUppercase: true
requireDigits: true
tempPasswordValidity: 3 days

amplify/backend.ts
// amplify/backend.ts
import { defineBackend } from '@aws-amplify/backend';
import { auth } from './auth/resource';
import { data } from './data/resource';
const backend = defineBackend({
// extract L1 UserPool construct
const { cfnUserPool } = backend.auth.resources.cfnResources;
// from the CDK use `addPropertyOverride` to modify properties directly
cfnUserPool.addPropertyOverride('Policies.PasswordPolicy.MinimumLength', 32);

With admin actions

Manage devices