Can Cognito manage WEB_AUTHN?

aws-samples / amazon-cognito-passwordless-auth

Passwordless authentication with Amazon Cognito: FIDO2 (WebAuthn, support for Passkeys), Magic Link, SMS OTP Step Up

Apache License 2.0

385 stars 70 forks source link

Closed ataylorme closed 17 hours ago

ataylorme commented 1 day ago

I have NextJS application and I would like to implement passwordless auth with Cognito as described here.

This doc seems to indicate it can be done with pretty minimal Congito configuration:

Auth flow of USER_AUTH
Explicit auth flows: ALLOW_USER_AUTH
Sign in policy: allowed first auth factors: SMS_OTP, EMAIL_OTP and/or WEB_AUTHN

What are the benefits of using the methods in this sample of explicitly handling custom challenges over letting Cognito manage it?

ottokruse commented 1 day ago

Those features were released last week and we haven't had time to update our docs yet :)

From the top of my head, use this lib here, if you want:

usernameless sign-in (using discoverable credentials)
when you want control of the FIDO2 parameters that are used for the authentication, e.g. because you want to turn on extensions (credProps), or allow non-user-verifying credentials (plain Yubikey without pin), or for whatever other reason you want full control of the WebAuthn flow (e.g. step up auth with WebAuthn like we do in the end-to-end example)
Lastly I guess this lib here is a demonstration of how FIDO2 works and may be helpful to be able to look under the hood.

Hopefully the new features that come out of the box are enough for you! This lib here ultimately means you have to manage more components.

ataylorme commented 20 hours ago

Thanks for the reply, I realized the Cognito passwordless features were very new after opening this issue. So new, CDK doesn’t support them yet

I appreciate your reply with example use cases of when to still set it up yourself instead of using the new managed passwordless features of Cognito

ottokruse commented 17 hours ago

Cheers.

Updated the README now