I’m using AWS Cognito Custom Authentication flow. I do not rely on Cognito for MFA. I want to make use of the adaptive authentication security heuristics in Cognito’s advanced security features. Unfortunately, the event in trigger does not include this information. Is it possible to have different set of custom challenges based on the risk level from adaptive authentication?
Here is a workaround until Cognito includes this information in the event passed to trigger. Configure different rules for advanced security features based on the app client id. For App client id 1, configure adaptive authentication to block users from login on detection of risk. And for App client id 2, configure to always allow login.
In the custom auth trigger lambda, decide the challenges based on the app client id. So when app client is 1, use normal login challenges. And when app client id is 2, send extra challenges to client.
The client should log in with app client id 1, and if it fails to login with the reason Unable to login because of security reasons, then log in using app client id 2.
Unfortunately, Cognito does not have separate error codes, so had to look for error string in response. This approach does require that client whose request is deemed risky, to make a second cognito request. This will take longer time for that client, but atleast most users will not see slower logins.
One option that was explored and dropped was to use Cognito admin api from lambda. There are two issues with this. First, every login would be slowed down by this additional http request to Cognito. Secondly, You can get last n events, but there is no way to ensure we request the right event. In case of simultaneous logins attempts, 1 no risk and 1 high risk, and admin api returns the no risk as last event, then both logins would pass through as no risk.