By using AWS re:Post, you agree to the Terms of Use

Congito - Disabling password reuse (last x passwords)

0

We have many downstream client requests to prevent the reuse of passwords when a user changes their passwords in our applications. We are using Cognito User Pools to manage all users and store no credentials at all in our system databases.

Is there any way to configure parameters on a user account to disallow them from using the same password that has previously been used?

We don't want to make the push to Federated auth (to allow the clients to manage this on their side) because a lot of smaller customers don't necessarily have the means to set up an identity provider or an IT team to manage it or push to MFA for the same reason.

Any help with this functionality or if there is a known open issue that we can track, that would be appreciated!

1 Answers
1
Accepted Answer

Hi there,

I understand that you would like to set password reuse policies and would like to know if there is a way to configure parameters on a user account to disallow them from using the same password that has previously been used.

Regretfully, at the moment, Cognito does not support preventing users from re-using the same password.

By design, Cognito does not transfer and store user's password to Cognito actually, instead it uses Secure Remote Password (SRP) protocol for password verification for authentication. You can also find more SRP information here[1]. For security reasons, Cognito only transfers the SRP password verifier, instead of actual password of a user under the hood. Hence, Which is the reason it does not store the history of previous password of a user and compare them against the new one that the user is trying to change.

A workaround to apply this restriction, would be implementing your own policy verification when calling Change Password API [2] in your code, or saving the password hash as a custom attribute and then compare it with the new one. Whatever options would involve storing passwords and this is not in line with security best practices, so I would recommend you to check your company’s security policies before doing anything.

please keep an eye on the What's New Page[3] and AWS Blogs[4] to know more about future releases. Additionally, you can also monitor Cognito Document history page[5], where new Cognito feature release are announced.

I hope you find this information helpful.

Have a great day ahead.

========= Resources

[1] SRP: https://en.wikipedia.org/wiki/Secure_Remote_Password_protocol

[2] Change Password API: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_ChangePassword.html

[3] What's New: https://aws.amazon.com/new/

[4] AWS Blogs: https://aws.amazon.com/blogs/aws/

[5] Document History for Amazon Cognito - https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-document-history.html

answered 2 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions