Managing authenticators when integrating Authsignal with Amazon Cognito
Learn how to let users enroll and manage different authenticators when integrating Authsignal with Amazon Cognito.
In the previous guide we demonstrated how to enroll the user’s first authenticator as part of a combined sign-up/sign-in flow.
This guide will cover the implementation steps for letting users enroll and manage multiple different authentication methods when integrating Authsignal with Amazon Cognito.
Github example code
Enrolling more authenticators
Once the user has enrolled their first authentication method and has signed in, we want to give them the option to enroll more authentication methods.
As an example, we’ll demonstrate how to let users enroll email OTP as a second authentication method - but the implementation approach will be similar for all authentications methods.
While authentication methods can be enrolled in any sequence, it’s recommended to only let users enroll passkeys after they’ve first enrolled a method like email or SMS OTP, so users always have a fallback option in cases where their passkey isn’t available.
Lambda integration
To authorize binding the new authentication method to the user, we will create an authenticated API endpoint which our app can call once they’ve signed in.
This endpoint will use a JWT Authorizer to authenticate using the Cognito access token. It will return a short-lived Authsignal token which we’ll use in the following step.
To authorize binding the new authentication method to the user, we will create an authenticated API endpoint which our app can call once they’ve signed in.
This endpoint will use a JWT Authorizer to authenticate using the Cognito access token. It will return a short-lived Authsignal token which we’ll use in the following step.
To authorize binding the new authentication method to the user, we will create an authenticated API endpoint which our app can call once they’ve signed in.
This endpoint will use a JWT Authorizer to authenticate using the Cognito access token. It will return a short-lived Authsignal pre-built UI URL which we’ll use in the following step.
App integration
- Call our endpoint to obtain the Authsignal token.
- Enroll the email OTP authenticator using a Client SDK.
For more information on how to use other authentication methods refer to our Web SDK and Mobile SDK documentation.
- Call our endpoint to obtain the Authsignal token.
- Enroll the email OTP authenticator using a Client SDK.
For more information on how to use other authentication methods refer to our Web SDK and Mobile SDK documentation.
- Call our endpoint to obtain the Authsignal pre-built UI URL.
- Launch the pre-built UI URL (optionally using the Authsignal Web SDK).
For more information refer to our documentation on launching the pre-built UI.
Removing authenticators
The Authsignal Server SDK can be used within your authenticated API endpoint to get the user’s currently enrolled authenticators and to remove an authenticator by its ID.
The example code below demonstrates how to remove the user’s email OTP authenticator by using the Authsignal Server SDK inside an API endpoint which is authenticated using a JWT authorizer.
For more information refer to our Server SDK documentation.
The Authsignal Server SDK can be used within your authenticated API endpoint to get the user’s currently enrolled authenticators and to remove an authenticator by its ID.
The example code below demonstrates how to remove the user’s email OTP authenticator by using the Authsignal Server SDK inside an API endpoint which is authenticated using a JWT authorizer.
For more information refer to our Server SDK documentation.
The Authsignal pre-built UI also supports removing authenticators when launched in settings mode.
For more information refer to our pre-built UI documentation.