top of page
  • Writer's pictureArvind Srivastava
    • Feb 4
    • 2 min read

Passwordless Authentication with SMS using AWS Cognito


About two weeks ago, we at Zyvika decided to implement Passwordless authentication with SMS in our application. In this blog post, I would like to share why we decided to do go with this approach and how we implemented in AWS Cognito.


There are many ways to authenticate user in an application like email-based authentication, authentication with text SMS, social login using Google, Facebook, LinkedIn etc. Every approach has its own set of pros and cons.


The text SMS based authentication is particularly suitable following reasons:

  1. Our application is a B2C application and our userbase is only in one country.

  2. We would like to have direct communication with customers to serve them better.

  3. Our application is still evolving, and we would like to inform / sell to our customers in a more direct way whenever feature is released.

  4. We would like the user session to be remembered at the device for long period of time. Had this not been the case, we may end up sending too many SMS messages annoying some users.


The Passwordless authentication with SMS simplifies the user experience by removing the need for customers to remember a password, eliminating use cases for "Forgot password" or "Change password" and thereby simplifying the whole user registration and login process.


Implementing Passwordless authentication in AWS Cognito is not straight forward as it doesn't support user registration without password. User login can be done without password through custom flow but that means we will have to manage OTP ourselves (like sending out OTP, match and expiry).

Instead, we decided to leverage the AWS Cognito's MFA after user login feature to simulate Passwordless authentication.



Here is how we did it:

  1. Setup AWS Cognito Userpool "Sign-up experience" with "Allow Cognito to automatically send messages to verify and confirm" as disabled. We setup "Sign-in experience" with "MFA enforcement" as Require MFA and "MFA methods" as SMS messages.

  2. Setup up public API to admin confirm the registered accounts.

  3. Use a fixed password in all Cognito API calls to simulate passwordless sign-up and sign-in.





Demo application with source code is available in my GitHub repository - link







24 views0 comments
bottom of page