AWS Cognito User Pool - how to keep phone numbers unique while phone number is not a login alias

Question

1. I'm using AWS Cognito User Pool on public website.
2. Phone number is not login alias as a result of business/security requirement.
3. I have a requirement for users to have unique verified phone numbers.
4. I have to verify both email and phone.

However, because of #2 Cognito allows several users to have the same verified phone number, thus I'm struggling with #3.

I've tried to use Post-Confirmation lambda, but if phone is already confirmed, lambda doesn't get triggered on email confirmation, since Cognito considers that a user is already confirmed after phone or email are confirmed - this already kills that idea, but I also suppose that even if I throw exception, user will remain confirmed.

Additional complexity is being added with ability of users to change their phone/email anytime out of our website (since due to publicity there is no client secret).

It would be ideal for me, if Cognito would have a lambda event for pre-confirmation of phone and email. But what can be a workaround here?

Answer 1

The behavior you describe is correct. Unfortunately, if you don't use phone number as alias in your user pool you can have the same number in the verified state in multiple accounts. That requirement (a single verified phone number in a user pool) is only enforced if phone number is an alias.

I will mention the use case and your lambda trigger suggestion within the team as a feature request.