How AWS Cognito User Pool defends against bruteforce attacks

Asked 9/6, 2016 at 17:50 Answered 11/4, 2023 at 8:19

Solved amazon-web-services amazon-cognito

I am going to use AWS Cognito User Pool product as user directory for application and have several questions:

Is Amazon throttle request to Cognito User Pool and if yes what is the rate limit of calls to get throttled?
How Cognito defends against bruteforce attack on login/password?

Sukkah answered 9/6, 2016 at 17:50 Comment(0)

After couple of hours search I found this two exceptions in source code:

TooManyFailedAttemptsException This exception gets thrown when the user has made too many failed attempts for a given action (e.g., sign in).

HTTP Status Code: 400

TooManyRequestsException This exception gets thrown when the user has made too many requests for a given operation.

HTTP Status Code: 400

Also, I tried to log in with wrong credentials to test limits, I get NotAuthorizedException: Password attempts exceeded exception after 5. attempt.

In a similar scenario, I tried to brute force to forgot password but after 10 failed attempt I got LimitExceededException: Attempt limit exceeded, please try after some time.

I think that is how they do it.

Willy answered 14/8, 2016 at 9:39 Comment(5)

Landed to this answer after we started developing our own lockout after N attempts system. Its really irritating its not mentioned anywhere in the docs AFAIK. We need a finer grained control over how many attempts cause a lockout, and how long they are locked out, as well as an administrator to have the ability to unlock important accounts if needed. Can it be done in cognito? – Sheikdom 24/1, 2018 at 16:42

It's not currently possible to do this with Cognito, since there is no hook to capture login failures, and it's not reliable to track such failures in your client app. – Arcboutant 23/10, 2019 at 19:59

@AlexFomin the question is about bruteforcing Cognito... how does WAF help here? – Laboy 5/3, 2021 at 20:16

@MaxIvanov you are right. I was wrong. Right now I have some troubles with brute-force attacks on Cognito, and I can't get a clear answer from AWS support on how its firewall works and how to protect against them (brute-force attacks). The first one what I decided is to insert ReCaptcha into Lambda triggers like preauth, presignup, forgotpassword. But it's not the decision of that problem. Brute-force attacks still burn all quotas for UserAuthentication requests. – Casta 12/3, 2021 at 10:2

And it stills like a pain in the butt to protect your UserPool from brute-force attacks. Right now I have an idea: make a private proxy for the frontend which will store all public keys like region, UserPoolClientID there and forward all requests from the frontend to Cognito. But it stills not clear, how the frontend will make all these requests, cause it uses Amplify library. And it seems that Amplify uses these keys for coding some data for requests. – Casta 12/3, 2021 at 10:8

Yes, Cognito User Pools protects against brute force attacks by using various security mechanisms. Throttling is one of those of mechanisms. We do not share limits as they vary dynamically.

Sanborn answered 10/6, 2016 at 20:12 Comment(6)

Can you please elaborate what kind of security mechanisms are you using? – Sukkah 14/6, 2016 at 13:47

@Rachit Dhall, can you explain a little bit more about these mechanisms? These kinds of information are not mentioned in doc, so it would be a good point to start, I guess. – Willy 12/8, 2016 at 9:9

There are security mechanisms on number of attempts, throttling and number of requests for getting codes. – Sanborn 1/9, 2016 at 18:50

@RachitDhall Is there any documentation about how secure are these mechanisms? – Retch 24/1, 2017 at 21:38

@RachitDhall It's been couple years since your answer - is there any official documentation that just states that Cognito does this? Even this this documentation does not share specific limits. – Shore 31/5, 2019 at 3:15

@ᴛʜᴇᴘᴀᴛᴇʟ check Dave B.'s answer below: https://mcmap.net/q/386735/-how-aws-cognito-user-pool-defends-against-bruteforce-attacks Contains this link: docs.aws.amazon.com/cognito/latest/developerguide/… There's a part titled: "Amazon Cognito lockout behavior for failed sign-in attempts" – Protocol 23/5, 2023 at 13:57

This contains the latest documentation on the lockout policies for Cognito.

https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-authentication-flow.html

We allow five failed sign-in attempts. After that we start temporary lockouts with exponentially increasing times starting at 1 second and doubling after each failed attempt up to about 15 minutes. Attempts during a temporary lockout period are ignored. After the temporary lockout period, if the next attempt fails, a new temporary lockout starts with twice the duration as the last. Waiting about 15 minutes without any attempts will also reset the temporary lockout. Please note that this behavior is subject to change.

Nigelniger answered 18/8, 2020 at 16:57 Comment(0)

Rather than (or in addition to) focusing on bruteforcing the login endpoint, I think forgot password flow deserves some attention.

Forgot password email contains a 6-digit code that can be used to set new password.

This code is valid for 1 hour. User Pools code validity resource quotas.

In my tests I could make 5 attempts to set new password within an hour for a single user before throttling came into effect (LimitExceededException: Attempt limit exceeded, please try after some time.)

Now, if I do the math correctly, there are 1000000 possible values for a code (from my tests I never saw codes starting with 0 so there may be less). You have 5 attempts/hr to guess the code. So each hour you have 5/1000000*100=0.0005% chance to succeed with resetting the password without knowing the code.

Is this a small chance? It seems so.

Considering a large-scale attack bruteforcing multiple users with retries concurrently should I sleep well at night? I don't know!

To solve the issue once and for all, why can't Cognito use longer codes that are hard to guess (I want to sleep well at night). Maybe it has something to do with the fact that the same codes mechanism is used in text messages. I wish there was an official comment.

Laboy answered 5/3, 2021 at 21:37 Comment(1)

Forgot Password Behavior Contains form information about forgot password limits. – Anathematize 1/6, 2021 at 18:52

In AWS Cognito service, the maximum number of password attempts allowed before an account is locked can be configured using the "Account Recovery" settings. By default, Cognito allows 5 password attempts before triggering a "NotAuthorizedException" due to exceeding the limit. If you wish to reduce it to 3 attempts, you can follow these steps:

Sign in to the AWS Management Console. Navigate to the Cognito service. Select the Cognito User Pool for which you want to configure the password attempts limit. In the left-hand menu, click on "Account Recovery". Under the "Multi-Factor Authentication (MFA)" section, look for the "Max password attempts" setting. Change the value from the default "5" to "3" to reduce the password attempts limit to 3. Click on "Save changes" to apply the new configuration. After making this change, Cognito will allow a maximum of 3 password attempts before triggering the "NotAuthorizedException" due to exceeding the limit. Note that this setting applies to all user accounts in the User Pool, and once the limit is reached, users will need to go through the configured account recovery process to regain access to their accounts.

Odessaodetta answered 11/4, 2023 at 8:19 Comment(0)

Recommended topics

Hot tags