Passwordless Phone Number Authentication using AWS Amplify & Cognito

Praveen

January 25, 2020 6 min read

Storing user passwords has always been a risk. On top of it, it requires the user to remember more details – username and password. It is also inconvenient for users to recover their account in case they forget their password. To solve these problems many services have started to opt for Passwordless authentication using Phone number and E-mail.

Passwordless Authentication using Phone Number

In passwordless authentication, a user needs to remember only their username which is usually a phone number or email. The process is similar to recovering a forgotten password but shorter and quicker.

When a user enters their phone number, they will receive a one time password (OTP) to their phone then they have to enter it on the next screen.

In this article, we will implement a passwordless phone number authentication in a serverless application using AWS Amplify & Cognito. Let’s get started!

Creating Cognito User Pool

Attributes

We want our users to use their phone numbers as the username. Hence in the attributes section, choose “Email address or Phone number” and under that choose “Allow Phone numbers”.

To make our sign up process even simpler we won’t require any standard or custom attributes from the user.

Policies

The only thing that matters in this section is to “Allow users to sign themselves up“.

MFA and Verifications

We don’t have MFA for passwordless authentication, hence make sure “Off” is selected.

Account recovery is also not applicable for us, so we will select “None – users will have to contact an administrator to reset their passwords“.

We don’t need verification as well, because the phone number is implicitly verified every time user signs in using the OTP. Select “No Verification“.

App Clients

Click “Add an App Client”. Provide a name for the App Client and make sure you uncheck “Generate Client Secret“.

AWS Cognito doesn’t support passwordless authentication out of the box. So, we will select “Enable lambda trigger-based custom authentication” and uncheck other configurations.

Triggers

This is the most important section. We will come back to this later when we have our lambda functions ready.

So go ahead and finish the remaining step and create the User Pool.

Custom Authentication Flow

Custom authentication flow are be implemented using the Cognito triggers and lambdas. We have to write lambda function for each step in the authentication flow. Following steps describe our authentication flow:

User will enter the phone number, and click Login.
User pool will receive the phone number, it will then call the “Define Auth Challenge” lambda. This lambda is responsible to drive the entire authentication flow. It determines which custom challenge needs to be created. In our case, the custom challenge will be to send and verify OTP.
User pool will then call “Create Auth Challenge” lambda function. This lambda will generate a OTP and sends it as an SMS.
User will then retrieve and enter the OTP.
User pool will then call “Verify Auth Challenge” lambda function. This lambda is responsible to check if the OTP user has entered is correct or not.
User pool will then again call “Define Auth Challenge” to check whether the user has completed all the challenge. In case of Multi-factor authentication there will be multiple challenges.
Once all the challenges are completed, user will be logged in successfully.

Pre Sign Up

This lambda function is responsible to auto confirm and auto verify phone number during sign up.

exports.handler = async (event) => {
    event.response.autoConfirmUser = true;
    event.response.autoVerifyPhone = true;
    return event;
};

Define Auth Challenge

It will receive a session array that will have the details of all the challenges and its result.

If the session array is empty, it means the authentication flow has just begun. Then we will present the “CUSTOM_CHALLENGE“.

If the session array is not empty, it means the user has answered the challenge and their answer is validated to be right or wrong. The validation result will be present in challengeResult field.

If answer is wrong, we will provide the same challenge once again. This way we will give the user 3 chances to enter the correct OTP. If wrong OTP is entered in all 3 attempts we will close the session and return an error.

If the OTP is correct, we will login the user and issue the authentication tokens.

Additionally, we will also check if the user is already registered or not. If user is not registered we will throw an error. The right place to do this is actually “Pre Authentication” trigger, but for some reason that trigger doesn’t work for custom authentication flow.

exports.handler = async (event, context, callback) => {
    console.log(event.request);
    
    // If user is not registered
    if (event.request.userNotFound) {
        event.response.issueToken = false;
        event.response.failAuthentication = true;
        throw new Error("User does not exist");
    }
    
    if (event.request.session.length >= 3 && event.request.session.slice(-1)[0].challengeResult === false) { // wrong OTP even After 3 sessions?
        event.response.issueToken = false;
        event.response.failAuthentication = true;
        throw new Error("Invalid OTP");
    } else if (event.request.session.length > 0 && event.request.session.slice(-1)[0].challengeResult === true) { // Correct OTP!
        event.response.issueTokens = true;
        event.response.failAuthentication = false;
    } else { // not yet received correct OTP
        event.response.issueTokens = false;
        event.response.failAuthentication = false;
        event.response.challengeName = 'CUSTOM_CHALLENGE';
    }
    
    return event;
};

Create Auth Challenge

This lambda function is responsible to generate the OTP and send it as an SMS.

Once the OTP is generated, we can send the SMS using AWS Simple Notification Service. We will also store the generated OTP in two fields:

privateChallengeParamater this field will be read by Verify Auth Challenge lambda to compare it against the answer.
challengeMetaData this field will be persisted across multiple calls to Create Auth Challenge. So that we don’t have to generate a new OTP and send SMS for the 2nd and 3rd attempts, instead we can re-use the OTP generated on the 1st attempt.

const AWS = require('aws-sdk');

function sendSMS(phone, code) {
    const params = {
      Message: code, /* required */
      PhoneNumber: phone,
    };
    
    return new AWS.SNS({apiVersion: '2010-03-31'}).publish(params).promise();
}

exports.handler = async (event) => {
    console.log("CUSTOM_CHALLENGE_LAMBDA", event.request);
    
    let secretLoginCode;
    if (!event.request.session || !event.request.session.length) {

        // Generate a new secret login code and send it to the user
        secretLoginCode = Date.now().toString().slice(-4);
        try {
            await sendSMS(event.request.userAttributes.phone_number, secretLoginCode);
        } catch {
           // Handle SMS Failure   
        }
    } else {

        // re-use code generated in previous challenge
        const previousChallenge = event.request.session.slice(-1)[0];
        secretLoginCode = previousChallenge.challengeMetadata.match(/CODE-(\d*)/)[1];
    }
    
    console.log(event.request.userAttributes);
    
    // Add the secret login code to the private challenge parameters
    // so it can be verified by the "Verify Auth Challenge Response" trigger
    event.response.privateChallengeParameters = { secretLoginCode };

    // Add the secret login code to the session so it is available
    // in a next invocation of the "Create Auth Challenge" trigger
    event.response.challengeMetadata = `CODE-${secretLoginCode}`;
    
    return event;
};

Verify Auth Challenge

This lambda function is responsible to check if the OTP entered by the user is correct or not.

When user enters the OTP, it will be available in the challengeAnswer field of the event request object. We can also read the actual generated OTP from the privateChallengeParameter field and compare it to check if the user entered OTP is correct or not.

exports.handler = async (event) => {
    console.log(event.request);
    
    const expectedAnswer = event.request.privateChallengeParameters.secretLoginCode; 
    if (event.request.challengeAnswer === expectedAnswer) {
        event.response.answerCorrect = true;
    } else {
        event.response.answerCorrect = false;
    }
    
    return event;
};

Custom Sign In Page

We need to create a custom sign-in page to match our custom authentication flow. But, first we need to add Amplify to our project:

yarn add aws-amplify

Also Read: Authentication in Serverless React Application using AWS Amplify

Add Amplify to the Project

We will be using Amplify’s authentication module. For that, we need to first add Amplify to our project.

amplify init

This will ask you a series of simple questions. Just follow the wizard and finish it.

Configure Amplify

To configure Amplify, we need to provide the Region code, Cognito User Pool ID and App Client ID.

import Amplify, { Auth } from 'aws-amplify';

Amplify.configure({
  Auth: {
    region: 'us-east-1',
    userPoolId: '**********',
    userPoolWebClientId: '******************',
  }
});

Sign Up

We can sign up a new user by calling the signUp. Since AWS doesn’t support passwordless authentication it requires us to provide a password. So, we can use a random dummy password.

try {
  await Auth.signUp({
    username: phoneNumber,
    password: Date.now().toString()
  });
} catch {
  // Handle sign up error
}

Sign In

We can initiate our custom authentication flow by calling the signIn method.

try {
  const cognitoUser = await Auth.signIn(phoneNumber);
} catch {
  // Handle sign in errors
}

Once the promise is resolved, we can prompt the user to enter the code.

Answer the Custom Challenge

We can submit the code to User Pool for verification by calling sendCustomChallengeAnswer with cognitoUser (returned on signIn call) and the OTP as paramaters.

try {
  const cognitoUser = await Auth.sendCustomChallengeAnswer(user, OTP);
} catch {
  // Handle 3 error thrown for 3 incorrect attempts. 
}

Once the promise is resolved user will be logged in successfully and you will get the authentication tokens in response.

Check logged-in user information

To get information about the current logged in user, we can use currentAuthenticatedUser method. This method will throw an error if user is not logged in, so it can be used to check if the user is logged in or not.

try {
  const data = await Auth.currentAuthenticatedUser();
} catch {
  // User not logged in
}

That’s all folks! It wasn’t that difficult was it? So what do you think about the passwordless authentication – will you develop one in your next project?

See responses (27)

Leave a Reply Cancel reply

Gautam says:

May 18, 2022 at 10:17 pm

Let’s say for some reason the user has not received the OTP and I want to allow the user option to resend the same OTP, what will be the method for that?
If I call signin () again it will start a new session and send a new OTP but all I need is to send the same OTP again.

orr levinger says:

October 5, 2020 at 10:15 am

how can i test it? is there a way as an admin to not send SMS so i can test my api with mocha?
also would this still work with my facebook login or will the triggers break the facebook flow?

orr levinger says:

October 1, 2020 at 9:52 am

and no where here do u explain the roles that needs to be created for the lambda invokations of SNS

orr levinger says:

October 1, 2020 at 9:32 am

Can you share a SAM version of the Cognito configurations for this?

Akila says:

September 24, 2020 at 2:24 pm

I am trying to use this with flutter.Is is possible or not

Ravi Singh Yadav says:

August 10, 2020 at 1:11 pm

Hi Praveen,

I am following your tutorial for OTP implementation but I am using java 8 for the same however cognito concepts will remain same.

I am stuck in create auth challange.

Roland Barro says:

July 22, 2020 at 1:51 am

// snippet
const signUpObj = {
“ClientId”: “myClientId”,
“Username”: “+12027953213”,
“Password”: “1595375749602”,
“UserAttributes”: [],
“ValidationData”: null
};

try {
const result: SignUpResult = await Auth.signUp(signUpObj);
resolve(result);
} catch(error) {
console.log(error)
}
// end of snippet

// result:
/*
{
“__type”: “InvalidParameterException”,
“message”: “Attributes did not conform to the schema: email: The attribute is required\n”
}*/

Parik Panchal says:

May 20, 2020 at 10:20 pm

Excellent Tutorial – super concise and helpful. There is a slight error in the create auth challenge lambda that does not allow users to send SMS messages – I have put a complete lambda that works here => https://gist.github.com/ppanchal97/ad9daae12fd50062588d564190b9bac3. Please comment on any changes if required, hope it helps anyone.

Ravi Singh Yadav says:

August 10, 2020 at 1:06 pm

can u please send this link again

Reply

Arif Mustaffa says:

April 30, 2020 at 8:31 am

Hi Praveen, I have an issue once Auth.signIn(phoneNumber) is called, I do not get an OTP SMS to verify. I copy ur code exactly as it is. The Auth.signUp() is working well. I get the OTP, however it is not the same for Auth.signIn().

Once I called Auth.signIn(phoneNumber), I was returned an Object from Cognito like below:

CognitoUser {
“Session”: “BUNCH_OF_TOKEN”,
“authenticationFlowType”: “CUSTOM_AUTH”,
“challengeName”: “CUSTOM_CHALLENGE”,
“challengeParam”: Object {
“USERNAME”: “XXXX”,
},
“client”: Client {
“endpoint”: “https://cognito-idp.XX-XX-XX.amazonaws.com/”,
},
“keyPrefix”: “CognitoIdentityServiceProvider.XXXX”,
“pool”: CognitoUserPool {
“advancedSecurityDataCollectionFlag”: true,
“client”: Client {
“endpoint”: “https://cognito-idp.XX-XX-XX.amazonaws.com/”,
},
“clientId”: “XXXXX”,
“storage”: [Function MemoryStorage],
“userPoolId”: “XX-XXXX-XXXX”,
},
“signInUserSession”: null,
“storage”: [Function MemoryStorage],
“userDataKey”: “CognitoIdentityServiceProvider.XXXX”,
“username”: “+XXXX”,
}

Can help me please? Thanks.

Arif Mustaffa says:

April 30, 2020 at 9:11 am

What is user in const cognitoUser = await Auth.sendCustomChallengeAnswer(user, OTP)? Is it phone number or whole bunch of Object from Auth.signIn()?

Reply

Neeraj says:

March 24, 2020 at 6:20 am

Hi Praveen,

I am following your tutorial for OTP implementation but I am using Python for the same however cognito concepts will remain same.

I am stuck in Verify OTP :
– Initially we will call `respond_to_auth_challenge` with user OTP and that will trigger VerifyChallenge Lambda.
– BUT this `respond_to_auth_challenge` need a param session and I don’t know from where this session will be retrieve.
– Its not present in the body.
– Static Session not working (Invalid session)
– And you didn’t either created any session in this tutorial. SO I am assuming cognito will itself start a session but where ? and how `respond_to_auth_challenge` will receive this session.

Anonymous says:

March 21, 2020 at 10:21 am

sendSMS function accepts two parameters, but only one passed in, where did you get phone parameter?

Praveen says:

March 22, 2020 at 2:15 pm

Thanks, that was a typo. You can get the phone number from the event.request.

event.request.userAttributes.phone_number

Reply

Dmitriy says:

March 19, 2020 at 12:09 pm

I have an error in that the user is created after calling the signUp method, but the code does not come to the phone.

Dmitriy says:

March 19, 2020 at 11:47 am

Please post a minimal example on github.

Praveen says:

March 22, 2020 at 2:17 pm

Sure, I will try and put something up on github.

Reply
- Ivan Hale says:
  
  September 2, 2020 at 6:37 pm
  
  Still waiting for that repo…
  
  Reply

vipul sharma says:

February 20, 2020 at 1:50 pm

Hi Praveen ,
I was finally able to implement this , but now my CreateAuth Lambda is executed 3 times for no reason and i am getting 3 SMS.

@Apoorv I faced similar Issue Just delete all your Resources and recreate them from start starting from amplify init
This will resolve your issue

Chandler Barnes says:

July 11, 2020 at 12:26 am

Vipul, it is likely that your Lambda is timing out. Custom Auth triggers have a 5 second time limit. Check your logs for the duration of your requests to your Create Auth Lambda. If it is taking longer to stand up, increase the memory in your CloudFormation template. (You’d want at least 256MB.)

Reply

Sateesh says:

February 10, 2020 at 10:02 am

Hey Praveen ,
Can you please explain me how to handle if enter wrong OTP.

Praveen says:

February 10, 2020 at 3:46 pm

Hey Sateesh, Just set `answerCorrect = false`. Then handle the error on UI and allow the user to retry. Just use the same cognitouser object on next try to continue the flow.

Reply

Vipul Sharma says:

February 7, 2020 at 1:03 pm

Also What nodejs version did you use for Lambdas?

Praveen says:

February 10, 2020 at 3:48 pm

I was using Node.js 12.x

Reply

Vipul says:

February 7, 2020 at 1:01 pm

Hey Praveen ,
Thanks for the updated walkthrough. I am stuck at Auth.sendCustomChallengeAnswer and encountered SerializationException ?
Did u saw something similar ever?

Apoorv says:

February 3, 2020 at 7:27 am

I am having trouble adding auth lambda triggers in amplify. When I try to amplify push with auth triggers I get error “Resource is not in the state stackUpdateComplete”. Can you please walk through initializing lambda triggers in amplify cli.

Praveen says:

February 3, 2020 at 4:48 pm

That error can occur due to various reasons. The issue is tracked here: https://github.com/aws-amplify/amplify-cli/issues/82
If you tell me the errors you see in AWS Management Console I might be able to help.

Reply

Passwordless Authentication using Phone Number

Creating Cognito User Pool

Attributes

Policies

MFA and Verifications

App Clients

Triggers

Custom Authentication Flow

Pre Sign Up

Define Auth Challenge

Create Auth Challenge

Verify Auth Challenge

Custom Sign In Page

Add Amplify to the Project

Configure Amplify

Sign Up

Sign In

Answer the Custom Challenge

Check logged-in user information

Leave a Reply Cancel reply

You Might Also Like