AWS Partner Network (APN) Blog

Implementing a True Passwordless Authentication with Amazon Cognito and Transmit Security

By Itay Meller, Sr. Security Specialist Solutions Architect – AWS
By Danny Kadyshevich, Sr. Product Manager – Transmit Security

Transmit-Security-AWS-Partners-2023
Transmit Security
Transmit-Security-APN-Blog-CTA-2023

With passwordless authentication technologies such as FIDO2 and Passkeys being introduced, web service and application providers can build best-in-class user experiences. Doing so while fully eliminating passwords—the primary vector for account takeover incidents—can significantly reduce costs by replacing legacy authentication solutions.

In this post, we will demonstrate how Amazon Web Services (AWS) customers can use Amazon Cognito for their application authentication and leverage Transmit Security to provide end users with a passwordless authentication experience. Amazon Cognito lets you easily add user sign-up and authentication to your mobile and web apps.

Transmit Security is an AWS Partner that provides advanced authentication and risk management solutions to the largest enterprises in the world.

Transmit Security provides a strong passwordless authentication service that enables customers to securely navigate across all channels from any trusted device. It creates a single customer identity and binds the identity across channels, facilitating secure cross-channel access and passwordless multi-factor authentication (MFA).

Transmit Security combines device-based FIDO2 biometrics and the OpenID Connect (OIDC) protocol to provide its service built on a passwordless architecture. It does not use or store a password anywhere, putting an end to the risk, frustration, and overhead of passwords.

Authentication Flow

Looking at the diagram below, the scope of Transmit Security’s solution covers everything to the right of the user and does not include an application. You can use your existing application, or create a new one and integrate it with the flow presented here.

Transmit-Security-Passwordless-Cognito-1.1

Figure 1 – Authentication flow.

Solution Walkthrough

In this section, we will demonstrate how you can use Amazon Cognito Hosted UI to integrate with Transmit as the identity provider (IdP). The same can be achieved by using a Custom UI leveraging Cognito APIs.

  1. Register with Transmit Security. Request a demo in the link and an expert will get in touch to provide a Transmit Security tenant.
  2. Once logged in to Transmit Security, navigate to Applications and select Add Application:
    • Under Basic information, use any application name and description.
    • Under Client information, use any display name and leave the rest as defaults.
    • Under Redirect URIs, use https://<DOMAIN>.auth.<REGION>.amazoncognito.com/oauth2/idpresponse; note that <DOMAIN> will be selected when defining your user pool and <REGION> is the working region in AWS; for example, for Ireland use eu-west-1.
    • At this point, you can navigate to the next step to configure a new user pool on the AWS Management Console, replace relevant values once completed, and return to Step 3.
  3. Hit Save changes, and the application should appear in the Applications tab.

Next, on your AWS console:

  1. Navigate to the Cognito service and click Create User Pool.
  2. Authentication providers:
    • Select Federated identity provider alongside Cognito user pool as the provider types.
    • Check Email for Cognito user pool sign-in options.
    • Select OpenID Connect (OIDC) under Federated sign-in options.
  3. Configure security requirements:
    • For password policy, use the Cognito defaults and choose No MFA as this will be handled on the Transmit authentication process.
    • Under User account recovery, leave the defaults as they are.
  4. Configure sign-up experience:
    • Keep the Enable self-registration check box ON to allow users sign up on the hosted user interface (UI) page.
    • Allow Cognito to automatically send messages to verify and confirm can be disabled as will be done by Transmit.
    • Leave email as a required attribute on user sign up.*

* The example requires you to have the email address of the user as the identifying user attribute and the only identifier. Instead of Amazon Cognito executing the email validation, it is Transmit providing the validated attributes.

  1. Configure message delivery: Use Send email with Cognito for simplicity.
  2. OpenID Connect (OIDC):
    • For Provider name, enter a name for the identity provider (IdP); in this example we use Transmit as the provider name. This name appears in the Cognito hosted UI. Note that you can’t change this field after creating the provider. If you plan to include this field in your app or use the Cognito hosted UI, use a name you’re comfortable with your app’s users seeing.
    • For Client ID and Client Secret, paste the Client ID and Secret you noted earlier from Transmit.
    • For Attributes request method, leave the setting as GET.
    • For Authorized scopes, enter the OIDC scope values you want to authorize, separated by spaces. In this configuration, we use the following required scopes: openid bindid_network_info email
      • For more information, see Scope values in OpenID Connect Basic Client Implementer’s Guide 1.0 on the OpenID website.
      • Important: The OpenID scope is required for OIDC IdPs, and you can add other scopes according to your user pool configuration. For example, if you kept email as a required attribute when creating your user pool, enter email OpenID to include both scopes. You can map the email attribute to your user pool later in this setup.
    • For Issuer, paste the Issuer URL: https://signin.bindid-sandbox.io
    • Map attributes between your OpenID Connect provider and your user pool; map “email” User pool attribute to “email” OpenID Connect attribute.
      • Optional: Consider mapping Transmit email identifiers to Cognito email-based identifiers.
  3. Integrate your app:
    • Enter a name for the user pool.
    • Use the Cognito Hosted UI should be checked.
    • Select Use a Cognito domain under domain type, and choose the <DOMAIN> you’ve chose on Transmit earlier in the process.
    • Under Initial app client, leave defaults as are; provide it with any name. The callback URL should point to your application, where the user will be redirected upon successful authentication.
      • For the sake of demonstration, we use your Cognito hosted UI domain: https://<DOMAIN>.auth.<REGION>.amazoncognito.com. Review all the settings, and click Create user pool.
    • Under Advanced app client settings, choose the IdPs you would like your users to authenticate with. For this demonstration, we’ve only chosen Transmit under “Identity Providers” to only allow a passwordless authentication; you can combine other authentication methods as well. Keep everything else as default.
  4. Review the settings and create the user pool.

Before testing the integration, make sure you have updated the Redirect URI in the Transmit application based on the selected domain as described in Step 2 in the Transmit configurations steps.

Test the Integration

  1. In the Amazon Cognito console, navigate to your user pool: Transmit > App Integration > App clients and analytics, and then click on the app client you created.
  2. Under Hosted UI, click View Hosted UI. To test the complete sign-in experience, you can do this step in a new incognito window.
  3. Once redirected to Transmit, sign in with either the user already provided with Transmit, or register with a new user by entering a new email and completing the registration steps.

Transmit-Security-Passwordless-Cognito-2.1

Figure 2 – Sign-in screen.

  1. Sign into Transmit using biometric authentication.

Transmit-Security-Passwordless-Cognito-3.1

Figure 3 – Biometric authentication.

  1. Upon successful authentication, you should be redirected to the callback URL you provided with an authorization code: https://<DOMAIN>.auth.<REGION>.amazoncognito.com/?code=XXXXXXX

In your application, you can use the /oauth2/token endpoint to exchange the authorization code with Cognito user pool tokens as described in the documentation. That completes the user authentication flow.

Next, navigate to your user pool and you should see the new user added to the pool.

Transmit-Security-Passwordless-Cognito-3

Figure 4 – User pool.

Cleanup

To clean up the resource we created in this post, follow these steps:

  • Navigate to your BindID console, and under Applications delete the application you had created earlier and the relevant users under Users.
  • Navigate to your Cognito console and delete the user pool you created.

Conclusion

In this post, we showed how to configure an Amazon Cognito user pool that integrates with a Transmit Security OIDC application to provide seamless passwordless authentication using the Cognito Hosted UI. The same can be achieved by using a Custom UI leveraging Cognito APIs.

While this use case supports a passwordless self-registration, it can be modified to support different use cases for different user management and onboarding requirements.

Learn more about Amazon Cognito user pools and try this out with a Transmit Security account.

.
Transmit-Security-APN-Blog-Connect-2023
.

Transmit Security – AWS Partner Spotlight

Transmit Security is an AWS Partner that provides advanced authentication and risk management solutions to the largest enterprises in the world.

Contact Transmit Security | Partner Overview