Amazon Web Services (AWS) has updated its authentication service to make it simpler for software engineering teams to eliminate passwords.
In addition to now adding support of passkey authentication based on public key cryptography and biometrics to the Amazon Cognito service, the Amazon Cognito service already supports one-time-passwords over email and SMS connection. Passkey support adds the ability to authenticate access using cryptographic keys stored on devices as a method for embracing zero-trust IT principles.
AWS with this update has also revamped its console for the Amazon Cognito service to make the service accessible to a wider range of development teams and has added a managed login capability that allows software engineering teams to further customize the authentication process in a way that, for example, matches branding requirements.
Finally, AWS has added additional tiers of service. The Lite, Essentials and Plus services make it possible to align costs with requirements, with the Essentials tier now being the initial default option. There continues to be a free tier that enables developers to initially become familiar with the service.
Karen Haberkorn, director of product management for identity at AWS, said the Amazon Cognito service provides an alternative to managing authentication that doesn’t require software engineering teams to invest time and effort into what amounts to an undifferentiated capability. Every application development team to one degree or another needs to, for example, manage application secrets, but it’s not a capability that their end customers are going to value, she noted.
The Amazon Cognito service in contrast is designed to present application development teams with a visual interface through which they can consistently manage authentication, in a way that allows them to comply with most regulatory requirements, said Haberkorn. The Amazon Cognito service also complies with frameworks such as OpenID Connect (OIDC) and OAuth open-source libraries and is already being used to process hundreds of billions of authentications every month, noted Haberkorn.
At the core of the Amazon Cognito service is Cedar, an AWS open-source policy language and authorization engine developed by AWS to make it possible to decouple access control from application logic. The approach helps ensure that application development teams, for example, don’t inadvertently leave application secrets exposed in a way cybercriminals can easily discover them.
Each software engineering team will need to decide for itself to what degree it wants to manage authentication processes themselves versus relying on a service, but, in an age where cybercriminals now routinely steal credentials to gain access to applications, there’s an argument to be made for relying on a service that makes it simpler to embrace a set of best practices. A recent Techstrong survey finds slightly less than half of organizations, at this point, have adopted best DevSecOps practices.
Regardless of approach, the best way to ensure that application development teams don’t wind up having uncomfortable conversations with cybersecurity teams is to ensure robust authentication capabilities are consistently embedded across every application deployed. After all, the best approach to application security is to ensure that potential incidents involving identities don’t ever occur in the first place.
