AWS Cognito Passwordless Review

AWS Cognito Passwordless Review

Table of Contents

An Overview of AWS Cognito

AWS Cognito Passwordless allows you to sign in to your AWS account without having to type a password. You can use an email address and a phone number as your authentication credentials.

Memorizing passwords can be full of hassles, especially when you have a lot to do and for passwords you rarely use. In most cases, most people have to click on the forgot password button or link on apps or websites. Due to the complexity of the issues related to forgetting passwords, most people tend to take dangerous steps like using easily guessable passwords, using a similar password on various apps and websites, or even using short passwords. While there are several solutions for this situation, like using password managers, the idea is not safe and even user-friendly.

Other alternatives to logging in passwords exist, for instance, using facial recognition or fingerprints, but the problem is that it is not feasible to deploy such methods. AWS Cognito offers a compelling alternative, seamless and straightforward. With AWS Cognito, you don’t necessarily need a password to log in; the app or website simply sends a one-time temporary login code via SMS, push notification, or email. You only need to get the code and key it in, and you are done. AWS almost works in a similar way as the forgot password thing, but it is shorter and straightforward. This does have the notion that you forgot your password. With AWS Cognito, a user can create custom authentication flows.

Insights into AWS Cognito

AWS Cognito passwordless email authentication utilizes some lambda functions and an amazon Cognito user pool. A user deploys these in conjunction to implement the custom authentication flow. You will utilize Amazon Simple Email Service to send the one-time login codes via email. Moreover, the UI pages (javascript and HTML) support the sign-in process.

Steps indicating how the function of AWS Cognito works

  1. A user enters their email address on the sign-in page, then the page sends it to the Amazon Cognito user pool.
  1. After receiving the email address, the user pool calls the define auth challenge lambda function, which then determines the custom challenge to be developed.
  1.  The lambda function then creates a secret login code and sends it to the user via the amazon SES.
  2.  User pool then calls for define auth challenge lambda function, which verifies if the challenge has been successfully answered. After the verification, the user pool considers the user authenticated and sends them valid JSON Web Tokens.

AWS Cognito Serverless application

User pools configuration relevant parts

  • Need email addresses as usernames
  • Features an app client configured to allow only custom authentication since when a user signs in, amazon Cognito needs a password. The Cognito supplies a random string, so users cannot log in with the same codes twice or later.
  • Lambda functions that implement the custom authentication flow are then configured.

AWS Lambda with Amazon SNS

Processing Amazon Simple Notification Service (Amazon SNS) alerts may be accomplished via the usage of a Lambda function. Lambda functions may be used as a target for messages delivered to a subject in Amazon Simple Notification Service. Subjects in the same account as well as topics in other AWS accounts may be subscribed to by your function.

Your function is called asynchronously by Amazon SNS, which sends you an event that comprises a message and metadata.

You must provide Amazon SNS permission to activate your Lambda function before you can make cross-account Amazon SNS deliveries to Lambda. Consequently, Amazon SNS must enable the AWS account with the Lambda function access to the Amazon SNS topic subscriptions.

Both accounts must allow rights to the other to use their respective resources, such as Amazon SNS topics and Lambda functions, for example. It is necessary to utilize the AWS Command Line Interface (AWS CLI) to set up cross-account permissions since the AWS Management Console does not provide all the choices.

a. Define Auth challenge

Define Auth challenge lambda function tracks the custom authentication flow comparable to a state machine’s decoder function. The process determines the challenges to be presented to a user and the order of presentation. Finally, it reports back to the user pool if the user failed or succeeded in authentication. This function is often invoked both at the beginning of custom authentication flow and at the end of verifying auth challenge-response trigger.

b. Create Auth Challenge

Create Auth Challenge Lambda function is solicited depending on the Define Auth Challenge instructions to develop a unique challenge for the user. AWS uses the challenge to produce a one-time login code and send it via mail to the user.

c. Verify Auth Challenge-Response

A user pool solicits this function once the user gives the challenge answer. The only job of this lambda function is to determine the correctness of the answer given by the user.

Create Auth challenge trigger

The function confirms if the user’s answer is similar to the secret login code.

Define Auth Challenge trigger

This function is a decider and manages the attestation flow. In the session array given to the lambda function here, the whole state of authentication flow is available. The custom authentication flow starts if the function is empty. However, if the function contains some items, then the custom authentication is underway, which means that a challenge was sent to the user, and the answer was presented back and confirmed right or wrong. But in any case, the decision function should decide on the next step.

Pre sign up function

The function auto confirms the users and their respective email addresses.

Implementing the custom sign up page

A custom sign-in page is required to coordinate with the user’s pool’s custom authentication flow. To integrate the user’s custom sign-in page with Amazon Cognito, use the AWS amplify framework. Implement the custom signup window with the favorite framework( Vue, pain HTML, Javascript, angular, and react.

Signing up

For users to quickly sign in themselves, a password has to be generated for them since it is mandatory whenever a user signs up.

Signing in

Here a user needs to initiate the authentication process and begin the custom flow.

Answering the custom challenge

A user needs to check their email and get the secret login code. Once they retrieve their secret login code, solicit the AWS amplifier to send the secret login code to the user pool to respond to the custom challenge. After that, any of the following can transpire.

  • If the user enters the correct code, the user pool will respond to AWS with JWTs thereby, AWS amplifies stores in the user’s browser.
  • If the user enters a wrong code but not the third time, they will have another chance to reenter
  • If the user enters the wrong code for the third time, the authentication fails. So they have to go to the signup window and begin a new custom authentication flow.

The AWS Cognito Conclusion

AWS Cognito is a passwordless authentication featuring a secret login code sent to users via email. The AWS Cognito can work as an ideal balance between user friendliness and security based on your app or website’s security requirements. Since the solution comes with lambda functions, users can adapt and extend it to suit their needs.