Mobile app PIN per device - Cognito

Question

Hi, we are building a mobile app, in which we would be asking the user to setup a PIN when they register and signup to our app. Unlike a normal password, the PIN should be associated with the specific mobile app on the specific device.

What options are available for me to ensure that the PIN is linked to the device from which the user is setting up the PIN and also, what is the recommended implementation approach to achieve this, to signup and signing using device specific PIN.

If I create the PIN as a custom attribute and leverage the trusted device management of Cognito, could this be achieved?

re:Post Agent · Answer

To implement a device-specific PIN for your mobile app using Amazon Cognito, you can leverage Cognito's device tracking and authentication features. Here's a recommended approach:

1. Device Tracking: When a user signs up or signs in, Cognito generates a unique device key. You can use this device key to associate the PIN with a specific device.

2. Custom Attribute: Create a custom attribute in your Cognito user pool to store the PIN. However, instead of storing the PIN directly, you should store a hash of the PIN combined with the device key. This ensures the PIN is device-specific.

3. Device Confirmation: Use the ConfirmDevice API to confirm the user's device. This associates the device with the user's account in Cognito.

4. PIN Setup: When the user sets up their PIN, hash it with the device key and store it in the custom attribute you created.

5. Authentication: For subsequent sign-ins, you'll need to implement a custom authentication flow:
   a. The user enters their PIN in the app.
   b. Your app retrieves the device key (stored locally after the initial sign-in).
   c. Hash the entered PIN with the device key.
   d. Use this hash in a custom challenge in the authentication flow.

6. Custom Auth Challenge: Implement a Lambda function to verify the PIN hash against the stored value in the custom attribute.

This approach ensures that the PIN is tied to the specific device. If a user tries to use the same PIN on a different device, the authentication will fail because the device key will be different, resulting in a different hash.

Remember to implement proper security measures, such as limiting PIN attempts and implementing a secure way to reset the PIN if needed. Also, consider using Cognito's adaptive authentication features to add an extra layer of security based on risk evaluation.

While this approach leverages Cognito's device management capabilities, it's important to note that you'll need to implement custom logic to handle the PIN verification process, as Cognito doesn't natively support device-specific PINs.  
**Sources**  
[Working with user devices in your user pool - Amazon Cognito](https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-device-tracking.html)  
[DeviceConfigurationType - Amazon Cognito User Pools](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DeviceConfigurationType.html)  
[AWS Cognito device_key purpose | AWS re:Post](https://repost.aws/questions/QU26rOVFH1RgStP_InC85bRw/aws-cognito-device-key-purpose)  
[Use ConfirmDevice with an AWS SDK or CLI - Amazon Cognito](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-identity-provider_example_cognito-identity-provider_ConfirmDevice_section.html)

Mobile app PIN per device - Cognito

Add your answer

Relevant content