[Feature Request] Add OTP SMS authentication

[tinti]

I have a fully working SMS OTP authentication patch. Would it be accepted or SMS OTP authentication is too insecure to be merged in this project?

It is basically a copy of magic-link implementation but without using KMS to generate and validate the OTP codes. From a security perspective I was thinking in storing some validation in to compensate:

https://github.com/aws-samples/amazon-cognito-passwordless-auth/blob/5bfdab2b13a07be24020cb4f8032337f242e48ee/cdk/custom-auth/magic-link.ts#L138-L140

This way the only one who could use the OTP is the one who requested it.

[ottokruse]

Very interested in that.

That similar to this implementation?: https://github.com/aws-samples/amazon-cognito-passwordless-email-auth

But using dynamodb again, like magic links, for rate limiting? Implementing OTP is easier than magic link because you don't have to deal with the link being opened in a different browser. On the other hand, I'd like to include the option to send the OTP using either email or SMS, depending on the user's choice at the time of signing in.

[tinti]

Very interested in that.

That similar to this implementation?: https://github.com/aws-samples/amazon-cognito-passwordless-email-auth

I would say that is closer to the magic link implementation. I have copied most of the code from it. The idea is the same.

But using dynamodb again, like magic links, for rate limiting?

Yes.

Implementing OTP is easier than magic link because you don't have to deal with the link being opened in a different browser. On the other hand, I'd like to include the option to send the OTP using either email or SMS, depending on the user's choice at the time of signing in.

It is doable. I can adjust.

What to you think of this proposal?

1. For OTP the exact same session that initiated the authentication flow should be the one that enters the OTP code.
2. The default for OTP will be e-mail and an SMS example will be given.

For (1) does Cognito provides a "guest" session that I can use?

Thanks.

[ottokruse]

Not sure what you mean with guest session. You shouldn't need it I think ?

Maybe we should implement this as 2 separate flows. Email OTP and SMS OTP.

Even though they share a lot of code, may be beneficial for implementation simplicity to keep it separate

[tinti]

Not sure what you mean with guest session. You shouldn't need it I think ?

I mean is there a way I can guarantee that given an authentication flow X that called the define authentication challenge requesting an OTP code, only X can use the OTP?

Maybe we should implement this as 2 separate flows. Email OTP and SMS OTP.

Even though they share a lot of code, may be beneficial for implementation simplicity to keep it separate

Agree.

[ottokruse]

I mean is there a way I can guarantee that given an authentication flow X that called the define authentication challenge requesting an OTP code, only X can use the OTP?

That's what Cognito takes care of for you (it's tied to the session, which is the very long string Cognito returns to you in custom auth calls, that you must provide back again in respondtoauthchallenge)