Dilip Kola
Dec 31, 2018 · 2 min read

Cognito is an authentication service by AWS, it consists of two major components: User pool and Identity pool.

Cognito User pool is a fully managed service storing and retrieving username, password, profile fields, and custom fields. This service is mostly used for authentication of mobile and web applications.

Cognito Identity pool is also a fully managed service for issuing temporary AWS service access identities for your mobile or web app users using either social identity providers or Cognito user pool.

In this blog, I will focus only on Cognito User pool service. This service provides triggers for various user login flows and we can integrate these triggers with Lambda functions. Cognito calls them synchronously using the push model. We can use these triggers to following use cases:

  • Passwordless authentication like authentication by sending a link to email similar to Medium.
  • Captcha validation for user signup using Pre-signup validation trigger.
  • Sending custom messages or alerts based on user activity.
  • Replicating user data to alternative data storage for redundancy.
  • Collecting user activity Analytics.
  • Adding more security to the user authentication flows like a forced password reset the one I am discussing in this blog.
  • Migrating users from an existing legacy database to Cognito.

In order to implement the forced password reset after continuous failed attempts, we have leveraged the following Cognito User pool triggers.

This trigger is invoked just before Cognito verifies the provided username and password. For this trigger, we have implemented a custom Lambda function which stores the user’s Login attempts count in DynamoDB and based on this count we make the decision to whether we need to force the user to reset their password by email verification or not.

This trigger is invoked just after Cognito has successfully authenticated the user. In this Lambda trigger, we are resetting user’s Login attempts count in DynamoDB by deleting the item from the DB.

The architecture of the Password reset workflow

We need to reset the login attempts count in Pre-authentication trigger once we force the user to reset their password else user won’t be able to login even after they have updated their password.


Now you know how to improve the security of your Cognito user pool implementation by using the above method to force the users to reset their password after continuous failed attempts. Please try this out and let me know if you have faced any issues while implementing this.

Other related Cognito blogs by us:

Tensult Blogs

Stories on Cloud computing, Analytics, Automation and Security

Dilip Kola

Written by

IIT Kanpur | Ex-Amazon | Ex-AWS | Co-founder @Tensult

Tensult Blogs

Stories on Cloud computing, Analytics, Automation and Security

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade