The pros and cons of using AWS Cognito for user authentication

AWS Cognito is one of many services available on the Amazon cloud platform. Using this service you can easily connect it with other available services on AWS such as API Gateway, AppSync, or Lambdas. It can store user data like given name, family name, email, username, password, and any other data which your users usually keep in the web or mobile application.

What is AWS Cognito for

If you want to allow users to register and log into your page, store their personal information, and some of the features like two-factor authentication or password recovery procedure, this service is something worth using. Not only does it allow you to avoid writing a backend service, but it also requires less code on the frontend. On the other hand, it’s not a silver bullet, so it’s good to know most of the pros and cons of using it before you make a decision.

Getting started

Connection with AWS Cognito service on the application side can be done by importing the AWS Amplify module, available to download as an NPM module (Node Package Manager). It gives your application the ability to connect with the AWS Cognito service, and implement the native user interface forms for authentication, password recovery, etc.

The pros of AWS Cognito

1. Fully configurable via the AWS control panel

2. Easy to connect with your application via provided AWS Amplify module (available for most popular frameworks/libraries, like Vue, Angular, React)

3. No need for an additional global state management solution in your app. AWS Amplify will check if the user is already logged for you. It provides its own global state which can be used across the whole application.

4. Out-of-the-box, UI forms for logging in, registration, password recovery, password change, federated authentication, MFA (Multi-Factor Authentication) e.g. SMS, Email, and TOTP (Temporary One Time Password) Confirm MFA Code’s and Provide QR codes for TOTP

5. All the data will be automatically stored in cloud AWS Cognito service (users information)

6. Confirmation emails (after user registration) will be automatically sent to the user as well as text messages to verify the user’s phone number

7. You can store custom attributes for users like address, phone number, city and any custom field which you want to

8. Data sent from the application is already encrypted and secured by the AWS Amplify module

9. Easy to connect with other AWS services like AWS AppSync

10. UI Form validations managed by AWS control panel

11. Integration with Social identity providers e.g. “Log in with Google” (or Facebook).

12. Error messages already provided by service

13. Several ways to handle forms on the application side

14. AWS Amplify allows for making HTTP requests (it’s using Axios module under the hood)

15. Out of the box security features like throttling (to prevent brute force attacks) or refresh tokens (to allow revoking access tokens)

The cons of AWS Cognito

1. It’s a paid solution

2. Documentation is rarely updated and not much detailed

3. Some of the options can be only set during the creation of an AWS Cognito user pool in the AWS administration panel. After that those options are disabled and if you want to change them you need to delete the whole instance and create a new one. This can be painful in the very beginnings of the project — when you are not sure which options you will eventually use in production.

4. Aligning provided UI forms with some of the designs can sometimes be problematic, then probably the fastest way is to create your own form components

5. Error messages provided by AWS Cognito are not very user friendly. Sometimes they are too technical, so you need to provide some kind of an error mapper in the application, to show more user-friendly messages. For example when a user tries to login with the wrong password.

6. There are no error messages for specific form fields, only general error messages

7. Confirmation emails (after user registration) are very limited. You need to create custom HTML email templates if you want more than just a plain text email with a verification link

8. There are limitations in the number of custom field attributes. You can’t create more than 25 custom attributes.

9. AWS Amplify module is a little heavy (minified + gzipped version is around 180 kB)

Final thoughts

Using AWS Cognito for user authentication along AWS Amplify on the application side is probably a faster solution than creating the whole authentication service on your own. In addition, you don’t need to take care of the backend, because this will be already provided by AWS Cognito. Also, some of the error messages, connection with service, UI forms will be provided out of the box. This is a good choice if you want to use advanced security features like phone number verification, two-factor authentication or log in with Google/Facebook.

But if your application does not use any other service from AWS (besides Cognito), connecting it with third-party services will take some time and require custom solutions. In this situation, it’s definitely better to consider building a dedicated authentication service or use an alternative solution that will fit with the rest of the application services/features.