ottokruse
commented
2 months ago Sorry for the late reply. You could use a step up auth flow, with webauthn for this case. An expample of this, is in the end to end example of this repo.
You'd have to make destructive actions two legged as per the step up auth docs in this repo.
If you have already implemented something else yourself, please share your solution
Hey folks,
first I have to repeat myself: What a fantastic piece of work you're delivering here. This is greatly simplifying the adoption of safer authentication methods!
Now, I have a more conceptual question: Let's imagine the use case where an admin user is trying to take some destructive action through an application's UI. The application owners want to secure this destructive action with an additional challenge, i.e., "Confirm with your password." With our FIDO flow, we don't have a password, but rather, we have the custom challenge through Cognito.
How would one handle this? Would we re-initiate the authentication flow? Or would we need another API for that?
Thank you!