Cognito threat detection, contextData missing feature gap - Expo/React-native

[BuildingFiles]

Is this related to a new or existing framework?

React Native

Is this related to a new or existing API?

Authentication

Is this related to another service?

Cognito

Describe the feature you'd like to request

Opening a new ticket for this as a issue on its own per request and confirmed in #13918 and by AWS support

Amplify for Expo/React-native has a feature gap that prevents it from sending users context data to Cognito which causes escalating threat levels for logins resulting in some cases where users who log in several times a week get blocked permanently after a while.

Note the validation of logins through the Cognito console apparently will not deescalate the threat levels after a certain point. Meaning we have user accounts (notably my own and a few others) not able to log into the application I developed in the production environment!!! Luckily this has not impacted paying clients to frequently and they have not reached the High threat levels yet.

This impacts deployments when using Amplify Expo/react-native for Web and Mobile devices.

As a note: Amplify claims full support for expo including web, despite issues where they dropped support for react-native-web in V6. A paradox they have yet to resolve.

This issue impacts paying clients for apps developed in Expo that require web-based interfaces in addition to mobile. Security is not something to be taken lightly and needs to be implemented for all platforms. I only specify this because the tech in the previous topic conveniently omitted web from his response.

AWS claims SOC and HIPAA compliance, which was a major factor in deciding to use it years ago. https://docs.aws.amazon.com/security/
We have clients that require HIPAA and SOC. If these features are not available through Expo web / react-native, then we have submitted your documentation as proof of compliance to many paying clients. And I do not know how bad that will be if it turns out that web is going to get skipped over yet again for a amplify feature gap.

Describe the solution you'd like

The ability to use Advanced threat detection with Cognito through the Amplify Expo/React-native framework for all platforms.

Describe alternatives you've considered

No one from support has been able to suggest any workarounds or alternatives that would maintain HIPAA and SOC requirements or work so far.

Additional context

The one proposed hack to possibly get it working is to somehow wrap the js scripts into our application so the function getUserContextData from amplify-js can be used within our application. But I do not see how we could implement this into our existing application.

I already collect the equivalent user data from web and mobile manually without the js function. But as far as I can tell the issue seems to be that Amplify.Auth can't send the data to Cognito regardless.

Is this something that you'd be interested in working on?

• 👋 I may be able to implement this feature request
• ⚠️ This feature might incur a breaking change

[bobbor]

hey @BuildingFiles

thanks for creating a separate issue.

We see this as a feature request, as this is something which we will have to add to the framework. This does not mean, that we won't take care of it with high priority.

Please be aware that the issue has already been discussed and we are working on a quick solution to help you as well as other customers, that use this feature.

Cheers Philipp

[BuildingFiles]

hey @BuildingFiles

thanks for creating a separate issue.

We see this as a feature request, as this is something which we will have to add to the framework. This does not mean, that we won't take care of it with high priority.

Please be aware that the issue has already been discussed and we are working on a quick solution to help you as well as other customers, that use this feature.

Cheers Philipp

Thank you for the feed back. I am also working on seeing if I can find any kind of fix. I thought I had but after some testing I font think it was right. its hard to tell since we only have the security enabled on our production site, so all dev testing may be failing just due to the lack of the security being enabled.

[bobbor]

hey, sorry for replying so slowly. I've been knocked out a bit during winterseason.

Anyways, feel free to create a some draft PR or a Proof of Concept, which allows us to work together towards a working solution.

In the meantime, I'll try to further investigate and try to find a fix for the issue.

[BuildingFiles]

hey, sorry for replying so slowly. I've been knocked out a bit during winterseason.

Anyways, feel free to create a some draft PR or a Proof of Concept, which allows us to work together towards a working solution.

In the meantime, I'll try to further investigate and try to find a fix for the issue.

Hi sorry for the delay. I was on vacation from Xmas to now.

I have not found any fix since my last post. I will have to get caught up and re oriented with what I was last looking into.

Has there been any progress on a workaround or preferably a proper fix for this issue?

[BuildingFiles]

I would like to share that the Cognito team apparently has addressed the validation issue that was preventing accounts from being unblocked. While testing options are limited, I was able validate a blocked account and sign in with it for the first time in 2 months.

However this does not prevent the system from falsely flagging accounts in the first place, and manually resetting them as needed is only a temporary solution as it is not sustainable in the long term.

I hope that this premium service that we have been paying for gets fixed soon.

I will continue to try and hash out a possible fix on my end. but testing is next to impossible as it takes weeks of constant logins to impact an account and we cannot deploy experimental code to our production site which is the one with any currently affected accounts. Basically, I can look all I want and I may think I find a fix but I won't be able to verify it. The fastest solution is for the aws teams to find and fix the problem.

[bobbor]

hey @BuildingFiles

We've been working on a solution recently and I'm hopefully optimistic to tell you that we might have found it.

We have prepared a PR, which we would like you to try out using a pre-release id.

the PR lives here:
#14655

currently some tests are failing which prevents the creation of a testing release, but we will fix this one beginning of next week, so you can try it out.

The changes should allow you to create the required device information needed by cognito for advanced security features on Android and iOS devices using Expo (Go) and React Native.

I'll let you know, when there is a version you can use to test

Cheers Philipp