Building adaptive authentication with Amazon Cognito and Authsignal

If you’ve built authentication with Amazon Cognito, you know it handles the heavy lifting of user management beautifully. But modern applications need more than just sign-in security. You need to protect high-value transactions, detect suspicious behavior mid-session, and adjust your security without deploying new code every time your fraud team spots a new attack pattern.

We recently published a piece on the AWS Partner Network blog exploring how Authsignal extends Cognito's capabilities to enable adaptive and continuous authentication. In this post, we'll take a more practical approach and show you how to actually implement this in your application.

‍

The problem with static authentication

Let’s start with a common scenario. You’ve built a fintech app using Cognito for user authentication. Your security team wants to add extra verification for transactions over $1,000, require additional checks when users sign in from new devices, and step up authentication when accessing sensitive account settings.

With Cognito alone, you’d need to build custom Lambda triggers, manage complex authentication state, and update code every time business requirements change. Your fraud analyst wants to adjust the $1,000 threshold to $500 based on emerging patterns? That's a code deployment.

This is where continuous authentication chimes in. Instead of treating authentication as a one-time gate at sign-in, you can verify users throughout their journey based on what they're actually trying to do.

‍

How Authsignal extends Cognito

Authsignal integrates with your existing Cognito user pool and adds three key capabilities:

1. Flexible authentication methods beyond Cognito's built-in options

While Cognito supports SMS, TOTP, email OTP, and passkeys, Authsignal adds WhatsApp OTP, push notifications, QR code verification, biometric verification with liveness detection, and more. This gives you options to balance security, user experience, and cost for different scenarios.

2. A no-code rules engine for adaptive authentication

Your business users (fraud analysts, product managers) can configure authentication rules based on risk signals, user context, and transaction data without touching code. The rules engine evaluates factors like device fingerprint, location, transaction amount, and user behavior to determine the right authentication method at the right time.

3. Continuous authentication throughout the user journey

After the initial Cognito sign-in, Authsignal can challenge users at critical points like high-value transactions, sensitive data access, or security setting changes. This means lower friction at sign-in and stronger protection where it actually matters.

‍

Architecture overview

Here's how the pieces fit together:

1. Users sign in through your application using Cognito
2. Cognito invokes Authsignal via Lambda triggers (Create Auth Challenge, Verify Auth Challenge Response) during the authentication flow
3. Authsignal's rules engine evaluates the context and selects the appropriate authentication method
4. For continuous authentication after sign-in (like payments or changing settings), your application backend calls Authsignal's API directly to challenge users when needed
5. Business users configure rules and policies through Authsignal's dashboard

‍

Implementation walkthrough

Step 1: Set up your Authsignal tenant

First, you'll need an Authsignal account. You can find Authsignal in the AWS Marketplace or sign up directly at authsignal.com.

Once you have your tenant, grab your API key and tenant URL. You'll need these for the integration.

Step 2: Integrate with Cognito for sign-in

Authsignal provides a Lambda layer that makes the Cognito integration straightforward. You'll add Authsignal checks to your Cognito user pool's Define Auth Challenge Lambda trigger.

Check out our Cognito integration guide for the detailed setup steps and Lambda code examples.

Step 3: Add continuous authentication to your application

After sign-in, you can challenge users at any point in their journey.

Here's a conceptual example for a payment flow:

// User attempts a payment
async function processPayment(userId, amount) {
  // Track the payment action with Authsignal
  const result = await authsignal.track({
    userId,
    action: 'payment',
    attributes: {
      custom: {
        amount
      }
    }
  });

  // Check if additional authentication is required
  if (result.state === 'CHALLENGE_REQUIRED') {
    return {
      requiresAuth: true,
      challengeUrl: result.url, // for prebuilt-ui
      token: result.token // for custom ui
    };
  }

  // Proceed with payment
  return processPaymentTransaction(amount);
}

Step 4: Configure your authentication rules

This is where non-technical users take over. In the Authsignal dashboard, you can create rules like:

• If payment amount > $1000 AND user is on a new device, require passkey authentication
• If user location changed countries, require email OTP verification
• If accessing security settings AND last authentication > 5 minutes ago, require push notification

These rules can be updated in real-time without redeploying your application.

‍

Real-world use cases

E-commerce platform: Use lightweight authentication at checkout for small purchases, but require additional verification for orders over $500 or when shipping to a new address.

Banking application: Allow users to view balances with just their initial sign-in, but challenge them with biometric verification when initiating wire transfers or updating beneficiaries.

Healthcare portal: Enable quick access to appointment scheduling with basic auth, but require stronger verification when accessing medical records or submitting insurance claims.

SaaS platform: Let users browse and use basic features freely, but step up authentication when they try to modify billing information or access admin panels.

‍

What's next?

If you're already running Cognito, you can integrate Authsignal without disrupting your existing authentication flow.

We've put together some resources to help you implement this:

• Full integration documentation with code examples
• SDK documentation for your application integration

You can also reach out to our team for guidance specific to your use case. We've helped teams implement this pattern across fintech, healthcare, e-commerce, and SaaS applications.

Check out Authsignal on AWS Marketplace or visit authsignal.com to get started.