Integrating Authsignal with Amazon Cognito
Learn how to integrate Authsignal with Amazon Cognito to rapidly implement passwordless authentication.
Amazon Cognito offers two approaches for authentication: a managed login with a hosted UI, or integration via Custom authentication challenge Lambda triggers when you need more control over the authentication UI and user experience.
To integrate Authsignal with Cognito, you’ll use the second approach. Authsignal offers two ways of integrating with Cognito’s custom authentication challenge Lambda triggers:
- Custom UI - Build your own UI using our Client SDKs for web and mobile when you need complete control over the user experience.
Passkey authentication in a native mobile app using Authsignal Client SDKs
- Pre-built UI - Drop in our ready-to-use hosted UI that supports passkeys, SMS and WhatsApp OTP, and more. You can customize the design to match your brand.
WhatsApp OTP authentication in a web app using Authsignal's pre-built UI
Lambda integration steps
1. Create auth challenge
The first lambda trigger which we will use is Create auth challenge.
We will use the Authsignal Server SDK in this lambda to return a short-lived challenge token.
We will use the Authsignal Server SDK in this lambda to return a short-lived challenge token.
We will use the Authsignal Server SDK in this lambda to return a short-lived pre-built UI URL.
2. Verify auth challenge response
The second lambda trigger which we will use is Verify auth challenge response.
In this lambda we will take the validation token obtained from the Authsignal Client SDK and pass it to the Authsignal Server SDK to verify the challenge.
In this lambda we will take the validation token obtained from the Authsignal Client SDK and pass it to the Authsignal Server SDK to verify the challenge.
In this lambda we will take the validation token obtained when redirecting back from the Authsignal pre-built UI and pass it to the Authsignal Server SDK to verify the challenge.
App integration steps
1. Obtain a username
Once the user has inputted their email address or phone number you can either:
- Use this value as the Cognito username, or
- Use this value to find the user record in your database and obtain their username
The approach will depend on your user pool configuration. For more detail on Cognito usernames refer to the AWS documentation.
Passkeys represent a new paradigm of device-initiated authentication where a username is not required as the first step. For this reason the integration steps are slightly different - see our guide on implementing passkeys with Cognito.
2. Call SignUp (if required)
You can call SignUp either as part of a separate account registration flow, or “just-in-time” before every sign-in attempt (ignoring if the user already exists).
3. Call InitiateAuth
The next step in authenticating with Cognito from your web or mobile app is to call InitiateAuth. This will invoke the Create auth challenge lambda which we have implemented above to return an Authsignal challenge token.
Here we obtain a challenge token to pass to an Authsignal Client SDK.
Here we obtain a challenge token to pass to an Authsignal Client SDK.
Here we obtain a short-lived URL for the Authsignal pre-built UI.
4. Use Authsignal
The next step is to use Authsignal to handle presenting the user with a challenge.
Use an Authsignal Client SDK to present the user with a challenge.
Here we show email OTP but our SDKs support a variety of methods including passkeys, SMS or WhatsApp, and authenticator app.
Use an Authsignal Client SDK to present the user with a challenge.
Here we show email OTP but our SDKs support a variety of methods including passkeys, SMS or WhatsApp, and authenticator app.
Use the Authsignal pre-built UI to present the user with a challenge.
The Authsignal Web SDK can be used to launch the pre-built UI in redirect or popup mode.
5. Call RespondToAuthChallenge
The final step of your app integration is to call RespondToAuthChallenge. This will invoke the Verify auth challenge response lambda which we have implemented above to complete authentication using our Authsignal validation token.
Pass the validation token obtained from the Authsignal Client SDK to Cognito as the challenge answer.
Pass the validation token obtained from the Authsignal Client SDK to Cognito as the challenge answer.
Pass the validation token obtained from the Authsignal pre-built UI to Cognito as the challenge answer.