This CDK app is a proof of concept example implementation of the FIDO2/WebAuthn protocols for passwordless logins using Amazon Cognito as a "Relying Party" (authentication server). This is made possible thanks to a couple existing technologies:
A demo deployment can be played with here: https://delzs89prk9ue.cloudfront.net/
Goal as part of implementing this sample code was to replicate the example provided by SimpleWebAuthn serverlessly using Amazon Cognito and CloudFront+S3 as opposed to a server-based Node.JS server. Advantages:
- Faster/easier setup
- Automatically scalable
- Showing how to augment existing AWS authentication mechanisms (Amazon Cognito) to leverage Fido2/WebAuthn
- Passwordless login flow
- AWS Account
- AWS CDK (TypeScript)
- Node/Npm
- Fido2/WebAuthn compatible authenticator (ex. Yubikey)
git clone https://github.com/aaronbrighton/cdk-serverless-cognito-fido2-webauthn.git
cd cdk-serverless-cognito-fido2-webauthn
npm install
npx cdk deploy
You should see deployed web app in the final output of the above command:
Outputs:
simplewebauthn-example-cognito.webappcloudfrontoutput = https://delzs89prk9ue.cloudfront.net/
- You can register multiple authenticators by hitting the register button again.
- Due to implementation and limitations of Amazon Cognito custom user fields lengths only 2 authenticators can be registered to a given email address at a time.
Majority of proof of concept deployments of this code should fall under the AWS Free Tier.