Question: Can I use the front-end components from this repo to implement usernameless sign-in with the new native Cognito passkey support as a backend??

[crismerritt]

I want to implement usernameless sign-in for our app, which uses Cognito. I have enabled the native passkey support in our Cognito user-pool. However, as we know, Cognito's new Managed Login UI does not support usernameless sign-in.

I would prefer not to deploy a bunch of new backend infra, so I am wondering if I can use the front-end components from this repo with the native passkey support from Cognito to achieve my goal.

I can certainly give it a try as an experiment to answer my question, but I would be grateful if anyone can save me a little time if I'm barking up the wrong tree.

Thank you.

Cris

[ottokruse]

What the solution here does, for usernameless sign-in, is to create a random challenge and store it in DynamoDB, and return it to the frontend, so that the frontend can do the WebAutnn getCredential, and then send the signature to Cognito, where a custom auth lambda function checks that the challenge you used in the frontend matches what is in the DynamoDB table. (Reason: the challenge must not be under threat actor control otherwise you can eg do replay of an old signature)

See sequence diagram: https://github.com/aws-samples/amazon-cognito-passwordless-auth/blob/main/FIDO2.md

Don't see how that can possibly work with the new native Cognito solution, but I haven't looked very closely it at yet.