How to implement the forced password reset after continuous failed login attempts for AWS Cognito User pool

Cognito User pool is a fully managed service storing and retrieving username, password, profile fields, and custom fields. This service is mostly used for authentication of mobile and web applications.

Cognito Identity pool is also a fully managed service for issuing temporary AWS service access identities for your mobile or web app users using either social identity providers or Cognito user pool.

In order to implement the forced password reset after continuous failed attempts, we have leveraged the following Cognito User pool triggers.

This trigger is invoked just before Cognito verifies the provided username and password. For this trigger, we have implemented a custom Lambda function which stores the user’s Login attempts count in DynamoDB and based on this count we make the decision to whether we need to force the user to reset their password by email verification or not.

This trigger is invoked just after Cognito has successfully authenticated the user. In this Lambda trigger, we are resetting user’s Login attempts count in DynamoDB by deleting the item from the DB.

Now you know how to improve the security of your Cognito user pool implementation by using the above method to force the users to reset their password after continuous failed attempts. Please try this out and let me know if you have faced any issues while implementing this.

Related posts:

A mantra is an easy way to shape your goals and plans for the year ahead. I’ve had one for each year for as long as I can remember. They help provide a very accurate sense of direction, but too often…

For a section of the world’s population, the world “African” is synonymous to strength, grit, tenacity, and physical toughness. For many that is all the recollection they have about its people. This…