Working with compromised-credentials detection

Amazon Cognito can detect if a user's username and password have been compromised elsewhere. This can happen when users reuse credentials at more than one site, or when they use insecure passwords. Amazon Cognito checks local users who sign in with username and password, in managed login and with the Amazon Cognito API.

From the Threat protection menu of the Amazon Cognito console, you can configure Compromised credentials. Configure Event detection to choose the user events that you want to monitor for compromised credentials. Configure Compromised credentials responses to choose whether to allow or block the user if compromised credentials are detected. Amazon Cognito can check for compromised credentials during sign-in, sign-up, and password changes.

When you choose Allow sign-in, you can review Amazon CloudWatch Logs to monitor the evaluations that Amazon Cognito makes on user events. For more information, see Viewing threat protection metrics. When you choose Block sign-in, Amazon Cognito prevents sign-in by users who use compromised credentials. When Amazon Cognito blocks sign-in for a user, it sets the user's UserStatus to RESET_REQUIRED. A user with a RESET_REQUIRED status must change their password before they can sign in again.

Compromised credentials can check passwords for the following user activity.

Sign-up

Your user pool checks the passwords that users transmit in the SignUp operation and from the sign-up page of managed login for indicators of compromise.

Sign-in

Your user pool checks passwords that users submit in password-based sign-in for indicators of compromise. Amazon Cognito can review the ADMIN_USER_PASSWORD_AUTH flow in AdminInitiateAuth, the USER_PASSWORD_AUTH flow in InitiateAuth, and the PASSWORD option of the USER_AUTH flow in both.

Currently, Amazon Cognito doesn't check for compromised credentials for sign-in operations with Secure Remote Password (SRP) flow. SRP sends a hashed proof of password during sign-in. Amazon Cognito doesn't have access to passwords internally, so it can only evaluate a password that your client passes to it in plaintext.

Password reset

Your user pool checks for indicators of compromise in operations that set new user passwords with the ConfirmForgotPassword self-service password reset operation. The code that's required for this operation is generated by ForgotPassword and AdminResetUserPassword.

Compromised credentials doesn't check temporary or permanent administrator-set passwords set with AdminSetUserPassword. However, with temporary passwords, your user pool checks passwords from responses to the NEW_PASSWORD_REQUIRED challenge in RespondToAuthChallenge and AdminRespondToAuthChallenge.

To add compromised credentials protections to your user pool, see Advanced security with threat protection.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Threat protection

Adaptive authentication