How to implement the forced password reset after continuous failed login attempts for AWS Cognito User pool

Cognito is an authentication service by AWS, it consists of two major components: User pool and Identity pool.

Cognito User pool is a fully managed service storing and retrieving username, password, profile fields, and custom fields. This service is mostly used for authentication of the mobile and web applications.

Cognito Identity pool is also a fully managed service for issuing temporary AWS service access identities for your mobile or web app users using either social identity providers or Cognito user pool.

In this blog, I will focus only on Cognito User pool service. This service provides triggers for various user login flows and we can integrate these triggers with Lambda functions. Cognito calls them synchronously using the push model. We can use these triggers to following use cases:

  • Passwordless authentication like authentication by sending a link to email similar to Medium.
  • Captcha validation for user signup using Pre-signup validation trigger.
  • Sending custom messages or alerts based on user activity.
  • Replicating user data to alternative data storage for redundancy.
  • Collecting user activity Analytics.
  • Adding more security to the user authentication flows like a forced password reset the one I am discussing in this blog.
  • Migrating users from an existing legacy database to Cognito.

In order to implement the forced password reset after continuous failed attempts, we have leveraged the following Cognito User pool triggers.

This trigger is invoked just before Cognito verifies the provided username and password. For this trigger, we have implemented a custom Lambda function which stores the user’s Login attempts count in DynamoDB and based on this count we make the decision to whether we need to force the user to reset their password by email verification or not.

This trigger is invoked just after Cognito has successfully authenticated the user. In this Lambda trigger, we are resetting user’s Login attempts count in DynamoDB by deleting the item from the DB.

The architecture of the Password reset workflow
We need to reset the login attempts count in Pre-authentication trigger once we force the user to reset their password else user won’t be able to login even after they have updated their password.

Conclusion

Now you know how to improve the security of your Cognito user pool implementation by using the above method to force the users to reset their password after continuous failed attempts. Please try this out and let me know if you have faced any issues while implementing this.

Other related Cognito blogs by us: