Amazon Web Services (AWS) is the world's most comprehensive cloud platform, offering over 200 fully featured services from data centers globally. Amazon Cognito is AWS's customer identity and access management (CIAM) service that provides user authentication, authorization, and user management for web and mobile applications.

Authsignal extends Amazon Cognito's capabilities through Lambda trigger integration, adding advanced authentication features without requiring changes to your existing Cognito user pools. While Cognito handles core identity management and session management, Authsignal provides adaptive multi-factor authentication, continuous post-login security, and a broader range of authentication methods. This combination lets organizations maintain AWS infrastructure benefits while gaining enterprise-grade authentication controls.

The integration works through Cognito's custom authentication challenge Lambda triggers. During sign-in, Cognito invokes Authsignal's rules engine, which evaluates risk signals and user context to select the appropriate authentication method. For continuous authentication after sign-in (protecting high-value actions like payments or account changes), your application backend calls Authsignal's API directly to challenge users when needed. Business users configure authentication rules through Authsignal's no-code dashboard, enabling policy updates without redeploying code.

Authsignal enhances Cognito with authentication methods including FIDO2 passkeys, WhatsApp OTP (reducing SMS costs), email magic links and OTP, push notifications, biometric authentication with liveness detection, and TOTP authenticator apps. The no-code rules engine lets non-technical teams adjust authentication requirements based on risk signals like device characteristics, location patterns, transaction amounts, and user behavior, without involving engineering resources.

This partnership is particularly valuable for organizations already using AWS infrastructure who need to add adaptive authentication, implement step-up security for high-risk actions, reduce SMS authentication costs, or deploy passkeys without months of custom development. Authsignal is an AWS-certified partner and has passed the AWS Well-Architected Framework Review (WAFR) for its Cognito integration.

‍

Who this integration is for:

• Organizations using Amazon Cognito who need adaptive or step-up authentication capabilities
• Development teams implementing passkeys, biometrics, or WhatsApp OTP without extensive custom development
• Financial services and fintech companies requiring transaction-based authentication controls
• SaaS platforms needing post-login security for sensitive operations (billing changes, admin access, data exports)
• Security and fraud teams who need to adjust authentication policies without code deployments

Prerequisites:

• AWS account with Amazon Cognito user pool configured
• Authsignal account (available through AWS Marketplace or direct signup)
• Basic familiarity with AWS Lambda functions

‍

Integration approaches:

Authsignal offers two integration paths depending on your UI requirements:

1. Pre-built UI - Drop-in hosted authentication UI supporting passkeys, OTP methods, and biometrics. Customize branding and design to match your application. Best for rapid deployment with minimal frontend development.
2. Custom UI - Build your own authentication interface using Authsignal's Client SDKs for web (React, JavaScript) and mobile (iOS, Android, React Native, Flutter). Provides complete control over user experience while maintaining security standards.

‍

Setup overview:

1. Configure Cognito user pool settings - Set up custom authentication challenge Lambda triggers. Choose email as sign-in option, disable Cognito's native MFA (handled by Authsignal instead), and configure appropriate client settings.
2. Deploy Lambda functions - Install Authsignal's Lambda layer and implement three trigger functions:
   • Define Auth Challenge - Creates authentication challenges during sign-in
   • Create Auth Challenge - Initiates Authsignal verification flows
   • Verify Auth Challenge Response - Validates Authsignal tokens to complete authentication
3. Integrate Authsignal client SDK - Add Authsignal's SDK to your application frontend. Configure with your tenant ID and regional endpoint. The SDK handles authentication method enrollment and verification flows.
4. Configure authentication rules - Use Authsignal's dashboard to create no-code rules based on user signals, transaction data, and business requirements. Rules determine which authentication methods to require for different scenarios.
5. Add continuous authentication - For post-login security (step-up authentication), integrate Authsignal API calls into your application backend before executing sensitive operations.

‍

Regional availability:

Authsignal operates in three regions to minimize latency with your Cognito deployment:

• US (Oregon)
• AU (Sydney)
• EU (Dublin)

‍

Integration flexibility:

The integration works with both AWS SDK and AWS Amplify implementations. It supports existing Cognito user pools without requiring user migration or structural changes. Your users remain in Cognito while Authsignal handles authentication verification.

For detailed implementation guides, code examples, and Lambda function templates, see the Authsignal AWS Cognito documentation. You can also reference the AWS Partner Network blog post for architectural guidance.