Can Cognito manage WEB_AUTHN?

[ataylorme]

I have NextJS application and I would like to implement passwordless auth with Cognito as described here.

This doc seems to indicate it can be done with pretty minimal Congito configuration:

• Auth flow of USER_AUTH
• Explicit auth flows: ALLOW_USER_AUTH
• Sign in policy: allowed first auth factors: SMS_OTP, EMAIL_OTP and/or WEB_AUTHN

What are the benefits of using the methods in this sample of explicitly handling custom challenges over letting Cognito manage it?

[ottokruse]

Those features were released last week and we haven't had time to update our docs yet :)

From the top of my head, use this lib here, if you want:

• usernameless sign-in (using discoverable credentials)
• when you want control of the FIDO2 parameters that are used for the authentication, e.g. because you want to turn on extensions (credProps), or allow non-user-verifying credentials (plain Yubikey without pin), or for whatever other reason you want full control of the WebAuthn flow (e.g. step up auth with WebAuthn like we do in the end-to-end example)
• Lastly I guess this lib here is a demonstration of how FIDO2 works and may be helpful to be able to look under the hood.

Hopefully the new features that come out of the box are enough for you! This lib here ultimately means you have to manage more components.

[ataylorme]

Thanks for the reply, I realized the Cognito passwordless features were very new after opening this issue. So new, CDK doesn’t support them yet

I appreciate your reply with example use cases of when to still set it up yourself instead of using the new managed passwordless features of Cognito

[ottokruse]

Cheers.

Updated the README now