Implementing password less SMS authentication with Amazon Cognito

Introduction:

?In today's digital landscape, securing user data and ensuring a smooth authentication process are paramount for any web application. We integrate AWS Cognito for user management, AWS Lambda for custom authentication logic, and AWS SNS for communication, all orchestrated via a Node.js/Express backend. This system supports both password-based and passwordless authentication options, offering flexibility and enhanced security through multi-factor authentication (MFA).

?The architecture spans several components, each serving a specific role in the authentication process. User interactions are managed through HTML forms that allow for registration, login, and phone number verification. The backend server, built with Node.js and Express, handles requests and communicates with AWS Cognito to manage user sessions and authentication states. Custom AWS Lambda functions are utilized to define authentication challenges, such as generating and verifying one-time passwords (OTPs), which are sent to users via AWS SNS.

?This setup not only provides a secure and scalable authentication solution but also enhances user experience by streamlining the login process. Through detailed explanations and a clear diagrammatic representation, we will explore how each component interacts within the ecosystem to provide a seamless and secure user authentication experience.

What is Amazon Cognito and Features:

• AWS Cognito is a fully managed service that allows developers to add user sign-up, sign-in, and access control to web and mobile applications. It handles authentication, authorization, and user management, and can integrate with other AWS services.

Key Features:

1. User Pools: Used for user authentication. It provides sign-up, sign-in, and multi-factor authentication.
2. Identity Pools: Provides temporary AWS credentials to access other AWS services.
3. MFA (Multi-Factor Authentication): Enhances security by requiring a second factor (e.g., SMS, TOTP).
4. Social Identity Providers: Supports login with Google, Facebook, Amazon, and other OAuth 2.0 providers.
5. SAML: Allows integration with corporate directories using SAML 2.0.

• AWS Cognito is commonly used for handling authentication in serverless, mobile, and web apps. You can build password-based or passwordless login systems and manage user sessions with ease.

Diagram Flow:

1. User Interaction: Users fill out a form on the password less sign-in page to enter their username, which is then sent to AWS Cognito.
2. Initial Challenge Setup: AWS Cognito triggers the "Define Auth Challenge" Lambda function to determine the type of challenge to present to the user, typically sending a verification code.
3. Code Generation: AWS Cognito then invokes the "Create Auth Challenge" Lambda function, which generates a multi-factor authentication (MFA) code and sends it to the user’s phone via SMS using AWS Simple Notification Service (SNS).
4. User Code Entry: The user receives the MFA code on their phone and enters it on the sign-in page. This response is sent back to AWS Cognito.
5. Code Verification: AWS Cognito calls the "Verify Auth Challenge Response" Lambda function to check if the code entered by the user is correct.
6. Final Authentication: If the code is verified, AWS Cognito re-invokes the "Define Auth Challenge" Lambda function to confirm that the challenge has been successfully met and no further verification is needed. It then issues tokens to authenticate the user.

Architecture Diagram Components Overview:

• User Interface (UI)

Contains HTML files (login.html, register.html, verify.html, dashboard.html).

• Web Server (Node.js/Express)

Handles HTTP requests, serves HTML files, and processes form submissions.

???????Communicates with AWS Cognito for user authentication and session management.

• ?AWS Cognito

? ??????Manages user pools for user registration, login, and phone number verification.

???????Integrates with custom Lambda triggers for authentication challenges.

• AWS Lambda Functions

?? ?????defineAuthChallenge: Decides the flow of custom authentication processes.

? ??????createAuthChallenge: Sends OTP to user's registered phone number.

???????verifyAuthChallenge: Verifies OTP provided by the user against the expected answer

• AWS SNS (Simple Notification Service)

????????Used by the createAuthChallenge Lambda function to send OTP via SMS.

• IAM Roles

???????Define permissions for Lambda functions and Cognito to interact with other AWS services.

Custom authentication challenge Lambda triggers

These Lambda triggers issue and verify their own challenges as part of a user pool custom authentication flow.

1. DefineAuthChallenge:

Purpose:

• ?? This Lambda function determines the flow of the authentication process by specifying what challenge should be presented to the user during the authentication sequence. It is crucial for controlling the authentication logic, especially in custom flows.

How it Works:

• ?? AWS Cognito triggers this function after the initial sign-in attempt and subsequent steps.
• ?? It checks the session object to determine the current state of the user's authentication attempts.
• ?? If no previous session exists (i.e., the user is attempting to sign in for the first time), it issues a custom challenge (CUSTOM_CHALLENGE).
• ?? If a session exists and the user previously passed a challenge, it may either issue tokens (if all challenges are passed) or fail the authentication based on the custom logic.

2. CreateAuthChallenge

Purpose:

• ?? This Lambda function is responsible for creating the actual challenge that the user must respond to, typically sending a one-time password (OTP) via SMS.

How it Works:

• ?? It is triggered by Cognito after the defineAuthChallenge function decides that a custom challenge is required.
• ?? It generates an OTP and uses AWS SNS to send this OTP as an SMS to the user’s registered phone number.
• ?? It stores the OTP in a private session variable so that it can later be compared with the user's input.

3. VerifyAuthChallenge

Purpose:

• ??This Lambda function verifies the OTP that the user submits in response to the challenge issued by createAuthChallenge.

How it Works:

• Triggered by Cognito once the user submits their OTP.
• It compares the user-provided OTP with the one stored in the private session parameters.
• If the OTPs match, it signals Cognito that the authentication challenge was successfully met; otherwise, it indicates failure.

Conclusion:

• In short, our authentication system leverages AWS Cognito and AWS Lambda to facilitate a secure and user-friendly passwordless login process. By integrating custom Lambda functions, the system enhances security by requiring a one-time password (OTP) sent via SMS for login, effectively combining convenience with robust security measures. This setup eliminates the need for traditional passwords, reduces the risk of password-related security breaches, and streamlines the user experience.