Did you know that passwordless authentication is often more secure than traditional password-based methods? Many companies are transitioning to passwordless authentication to enhance security and maintain compliance.
In this article, I will explain AWS Cognito, an AWS service for authentication, sign-in, and user management, and demonstrate how to configure it for passwordless authentication.
AWS Cognito is a fully managed service for user authentication and user management. While it has been around for over a decade, in November 2024, AWS introduced new features, including passwordless authentication, to enhance security and usability.
I will walk you through configuring AWS Cognito for passwordless sign-in, signing up a user, and redirecting them to a desired website upon successful login.
Let's look at the architecture diagram!
Introduction to AWS Cognito Service & Passwordless Authentication
While AWS Cognito service for sign in, authentication and user management has been around for about 11 years, AWS further enhanced it by adding more features.
As of November 2024, AWS Cognito supports implementing passwordless authentication. In this article, Iβll demonstrate how to leverage AWS Cognito to secure your application with passwordless sign-in.
AWS Cognito allows passwordless authentication through methods such as:
- One-Time Passwords (OTP): Codes sent via email or SMS.
- Passkeys/Biometric Authentication: Integration with facial recognition or fingerprint scanning
Why Passwordless?
Weak passwords continue to be a significant vulnerability in securing online accounts. Reports over the past few years have shown that commonly used passwords, such as "password" or "123456," frequently top the list of breaches. With passwordless authentication, these shortcomings are mitigated, as there are no passwords to steal or guess.
Setting up a Cognito User Pool and configuring login attributes
Let's setup a user pool and confiture attributes for the sign in setup. Creating a user pool is the first step in getting the Cognito authentication configured.
In order to create a user pool, sign in to the AWS management console and navigate to AWS Cognito service and create a user pool.
Provide a name for the user pool and configure the email attribute for the login and sign-up process. During both the sign-up and sign-in step, this authentication process will use the email address as the login credential.
Optionally, you can specify a return URL. After a successful sign-in or login, the user will be redirected to this URL.
You can also configure MFA for additional security but I will skip that for now.
User pool and app client will be created!
Testing the authentication flow using the Hosted UI
Once the user pool and app client are created, you can use the Hosted UI provided by AWS to validate the login process. Click on "View Login Page" to access the sign-in page.
Since this is the first time accessing the page, you'll need to create an account, as the Cognito user pool does not yet have any users.
Click on "Create an account" to navigate to the sign-up page. Fill in the required details, such as your email and password, following the password policy configured during setup. Then, click "Sign Up".
Once the account is created, log in using your email address and password.
After a successful login, you will be redirected to the return URL configured in the setup. In this example, the URL configured was ' https://cloudwithgirish.com,' so the following page will be displayed:
Customize the Sign-In Experience
Now that we have created and validated a user credential, letβs go back to the user pool and configure it further for passwordless sign-in.
- Edit the Sign-In Experience settings to allow login with email.
- Save the changes.
Edit sign in experience to allow login with email.
Once configured, navigate back to the sign-in page and log in again. Since the user pool is now set up for passwordless sign-in, an OTP will be sent to your email. Enter the OTP to complete the login process.
In this example, I used the default email provider (Cognito) for OTP/email delivery. However, you can also configure Amazon SESor Amazon SNS for the OTP delivery. Additionally, enabling logging and monitoring using CloudWatch provides observability to track login attempts and troubleshoot any issues effectively.
Cleanup - Delete the Cognito User Pool
After completing this exercise, make sure to delete the Cognito user pool to prevent unnecessary resource usage and associated costs.
Conclusion
In this article, I demonstrated how to use an Amazon Cognito user pool to configure a passwordless authentication process. We validated the setup by creating a new user and logging in using the credentials. The entire configuration and validation process, including the creation and setup of the user pool, was completed using the AWS Management Console.
I hope you found this article both helpful and informative!
Thank you for reading!
Watch the video here:
https://www.youtube.com/watch?v=DYkebV9dNK0
π’πΎππΎππ½ β¬π½πΆππΎπΆπ
ππ ππ¦π³π΅πͺπ§πͺπ¦π₯ ππ°ππΆπ΅πͺπ°π― ππ³π€π©πͺπ΅π¦π€π΅ & ππ¦π·π¦ππ°π±π¦π³ ππ΄π΄π°π€πͺπ’π΅π¦
πππ°πΆπ₯ ππ¦π€π©π―π°ππ°π¨πΊ ππ―π΅π©πΆπ΄πͺπ’π΄π΅
Top comments (0)