Amazon Web Services (AWS) has expanded its authentication capabilities by adding passkey support to Amazon Cognito, its customer identity and access management service for web and mobile applications. This move aligns with the broader industry shift toward passwordless authentication, following similar implementations by tech giants like Microsoft, Google, and Apple.
Amazon Cognito, which was introduced a decade ago, has received several significant updates, including a new Managed Login feature that enhances the classic Hosted UI functionality. This improved interface provides built-in responsiveness for various screen sizes, multi-factor authentication, and password-reset capabilities in user pools. The service now includes a branding designer for customizing user journeys and API operations for programmatic configuration.
The integration of passkey support within the Managed Login feature enables users to authenticate using cryptographic keys stored on their devices, offering an alternative to traditional passwords. This implementation eliminates the need for developers to directly handle WebAuthn-related protocols while providing enhanced security measures. The move comes as FIDO2-based authentication gains momentum, though some experts have raised concerns about interoperability issues in the FIDO2 ecosystem.
AWS has structured Amazon Cognito’s user pool features into three distinct plans: Lite, Essentials, and Plus. The Lite plan provides basic authentication features and includes the classic hosted UI. The Essentials plan incorporates the latest authentication features, including choice-based sign-in, email MFA, and passkey sign-in with FIDO2 authenticators. The Plus plan builds upon the Essentials offering by adding advanced security features, activity logging, and customizable managed login pages.
Beyond passkey authentication, Amazon Cognito supports passwordless sign-in through one-time codes delivered via email or SMS. The service allows for extensive customization through AWS Lambda functions, enabling developers to implement app-specific logic for fraud detection and user validation. This flexibility is particularly important as organizations face increasingly sophisticated security threats, including malware that can bypass traditional multi-factor authentication systems.
The platform maintains support for federated identities, allowing secure access to AWS resources through external identity providers such as Amazon, Facebook, Twitter, and Google. It also accommodates custom identity providers and supports unauthenticated users to facilitate flexible login processes. This approach to federated identity management reflects a growing industry trend toward unified digital identity systems, similar to initiatives being developed in various countries for national digital identity schemes.
Sources: AWS Blog, ZDNet, AWS Documentation
Follow Us