Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How AWS Cognito User Pool defends against bruteforce attacks

I am going to use AWS Cognito User Pool product as user directory for application and have several questions:

  1. Is Amazon throttle request to Cognito User Pool and if yes what is the rate limit of calls to get throttled?
  2. How Cognito defends against bruteforce attack on login/password?
like image 250
knok16 Avatar asked Jun 09 '16 17:06

knok16


People also ask

How does Cognito user pool work?

A user pool is a user directory in Amazon Cognito. With a user pool, your users can sign in to your web or mobile app through Amazon Cognito. Your users can also sign in through social identity providers like Google, Facebook, Amazon, or Apple, and through SAML identity providers.

What is the main difference between Cognito user pool and Cognito identity pool?

With a user pool, your app users can sign in through the user pool or federate through a third-party identity provider (IdP). Identity pools are for authorization (access control). You can use identity pools to create unique identities for users and give them access to other AWS services.

How does AWS Cognito hash passwords?

Cognito Identity does not receive or store user credentials. Cognito Identity uses the token from the identity provider to obtain a unique identifier for the user and then hashes it using a one-way hash so that the same user can be recognized again in the future without storing the actual user identifier.

How can you use Cognito to provide security to a user?

Amazon Cognito provides authentication, authorization, and user management for your web and mobile apps. Your users can sign in directly with a user name and password, or through a third party such as Facebook, Amazon, Google or Apple. The two main components of Amazon Cognito are user pools and identity pools.


1 Answers

After couple of hours search I found this two exceptions in source code:

TooManyFailedAttemptsException This exception gets thrown when the user has made too many failed attempts for a given action (e.g., sign in).

HTTP Status Code: 400

TooManyRequestsException This exception gets thrown when the user has made too many requests for a given operation.

HTTP Status Code: 400

Also, I tried to log in with wrong credentials to test limits, I get NotAuthorizedException: Password attempts exceeded exception after 5. attempt.

In a similar scenario, I tried to brute force to forgot password but after 10 failed attempt I got LimitExceededException: Attempt limit exceeded, please try after some time.

I think that is how they do it.

like image 120
endertunc Avatar answered Sep 29 '22 19:09

endertunc