1Kosmos Achieves DoW IL4 Authorization to Secure Military Identities and Mission Access

Read more

1Kosmos Achieves DoW IL4 Authorization to Secure Military Identities and Mission Access

Read more

1Kosmos Achieves DoW IL4 Authorization to Secure Military Identities and Mission Access

Read more

Integrations

/

Amazon Cognito

Amazon Cognito

The Amazon Cognito integration brings 1Kosmos verified identity and biometric step-up into Cognito sign-up and authentication flows. It helps teams enforce higher-assurance access for sensitive APIs and high-value transactions.

Integration type

Auth/IDP

What we solve

Amazon Cognito deployments often need higher-assurance sign-in and step-up controls than passwords and basic MFA can provide—especially for sensitive APIs and high-value transactions. This integration embeds 1Kosmos verified identity and biometric step-up into Cognito’s authentication and sign-up flows (via OIDC federation, Lambda triggers, or client SDKs) so access decisions can be tied to identity assurance level claims and enforced consistently across serverless architectures.

Integration architecture

Amazon Cognito does not maintain a traditional integration marketplace. Integration operates through three mechanisms.

Mechanism A: OIDC federation

Cognito User Pool is configured with 1Kosmos as an external OIDC provider. During the federated sign-in flow, Cognito redirects the user to the 1Kosmos OIDC authorize endpoint with the /assurance/ial/2 scope. On callback, Cognito maps the id_token claims to user pool attributes.

Mechanism B: Lambda triggers

Lambda triggers provide the deepest integration, enabling proofing and step-up as inline steps in the Cognito authentication flow.

# Pre Sign-up Lambda: Initiate 1Kosmos proofing session
import json
import boto3
import requests

def lambda_handler(event, context):
    # Create a 1Kosmos proofing session
    response = requests.post(
        f"https://{BLOCKID_TENANT}.1kosmos.net/v1/verify/sessions",
        headers={
            "Authorization": f"Bearer {BLOCKID_API_KEY}",
            "Content-Type": "application/json"
        },
        json={
            "document_types": ["drivers_license", "passport"],
            "liveness_mode": "active",
            "callback_url": f"{API_GATEWAY_URL}/idv-callback",
            "metadata": {
                "cognito_user_pool": event['userPoolId'],
                "cognito_username": event['userName']
            }
        }
    )

    session = response.json()

    # Store session_id in user attributes for later retrieval
    event['response']['autoConfirmUser'] = False
    return event


# Custom Authentication Challenge: Present LiveID step-up
def define_auth_challenge(event, context):
    if event['request']['session'] and \
       len(event['request']['session']) > 0 and \
       event['request']['session'][-1]['challengeResult']:
        event['response']['issueTokens'] = True
    else:
        event['response']['issueTokens'] = False
        event['response']['challengeName'] = 'CUSTOM_CHALLENGE'
    return event


def create_auth_challenge(event, context):
    # Trigger 1Kosmos LiveID step-up
    stepup = requests.post(
        f"https://{BLOCKID_TENANT}.1kosmos.net/v1/auth/stepup",
        headers={"Authorization": f"Bearer {BLOCKID_API_KEY}"},
        json={
            "user_id": event['request']['userAttributes'].get('custom:blockid_sub'),
            "reason_code": "high_value_transaction",
            "timeout_seconds": 300
        }
    )

    challenge = stepup.json()
    event['response']['publicChallengeParameters'] = {
        'challenge_id': challenge['challenge_id'],
        'challenge_url': challenge['challenge_url']
    }
    event['response']['privateChallengeParameters'] = {
        'challenge_id': challenge['challenge_id']
    }
    return event


def verify_auth_challenge(event, context):
    challenge_id = event['request']['privateChallengeParameters']['challenge_id']

    # Check 1Kosmos step-up result
    result = requests.get(
        f"https://{BLOCKID_TENANT}.1kosmos.net/v1/auth/stepup/{challenge_id}/result",
        headers={"Authorization": f"Bearer {BLOCKID_API_KEY}"}
    )

    stepup_result = result.json()
    event['response']['answerCorrect'] = (
        stepup_result.get('match_result') == True and
        stepup_result.get('liveness_verified') == True
    )
    return event
# Pre Sign-up Lambda: Initiate 1Kosmos proofing session
import json
import boto3
import requests

def lambda_handler(event, context):
    # Create a 1Kosmos proofing session
    response = requests.post(
        f"https://{BLOCKID_TENANT}.1kosmos.net/v1/verify/sessions",
        headers={
            "Authorization": f"Bearer {BLOCKID_API_KEY}",
            "Content-Type": "application/json"
        },
        json={
            "document_types": ["drivers_license", "passport"],
            "liveness_mode": "active",
            "callback_url": f"{API_GATEWAY_URL}/idv-callback",
            "metadata": {
                "cognito_user_pool": event['userPoolId'],
                "cognito_username": event['userName']
            }
        }
    )

    session = response.json()

    # Store session_id in user attributes for later retrieval
    event['response']['autoConfirmUser'] = False
    return event


# Custom Authentication Challenge: Present LiveID step-up
def define_auth_challenge(event, context):
    if event['request']['session'] and \
       len(event['request']['session']) > 0 and \
       event['request']['session'][-1]['challengeResult']:
        event['response']['issueTokens'] = True
    else:
        event['response']['issueTokens'] = False
        event['response']['challengeName'] = 'CUSTOM_CHALLENGE'
    return event


def create_auth_challenge(event, context):
    # Trigger 1Kosmos LiveID step-up
    stepup = requests.post(
        f"https://{BLOCKID_TENANT}.1kosmos.net/v1/auth/stepup",
        headers={"Authorization": f"Bearer {BLOCKID_API_KEY}"},
        json={
            "user_id": event['request']['userAttributes'].get('custom:blockid_sub'),
            "reason_code": "high_value_transaction",
            "timeout_seconds": 300
        }
    )

    challenge = stepup.json()
    event['response']['publicChallengeParameters'] = {
        'challenge_id': challenge['challenge_id'],
        'challenge_url': challenge['challenge_url']
    }
    event['response']['privateChallengeParameters'] = {
        'challenge_id': challenge['challenge_id']
    }
    return event


def verify_auth_challenge(event, context):
    challenge_id = event['request']['privateChallengeParameters']['challenge_id']

    # Check 1Kosmos step-up result
    result = requests.get(
        f"https://{BLOCKID_TENANT}.1kosmos.net/v1/auth/stepup/{challenge_id}/result",
        headers={"Authorization": f"Bearer {BLOCKID_API_KEY}"}
    )

    stepup_result = result.json()
    event['response']['answerCorrect'] = (
        stepup_result.get('match_result') == True and
        stepup_result.get('liveness_verified') == True
    )
    return event
# Pre Sign-up Lambda: Initiate 1Kosmos proofing session
import json
import boto3
import requests

def lambda_handler(event, context):
    # Create a 1Kosmos proofing session
    response = requests.post(
        f"https://{BLOCKID_TENANT}.1kosmos.net/v1/verify/sessions",
        headers={
            "Authorization": f"Bearer {BLOCKID_API_KEY}",
            "Content-Type": "application/json"
        },
        json={
            "document_types": ["drivers_license", "passport"],
            "liveness_mode": "active",
            "callback_url": f"{API_GATEWAY_URL}/idv-callback",
            "metadata": {
                "cognito_user_pool": event['userPoolId'],
                "cognito_username": event['userName']
            }
        }
    )

    session = response.json()

    # Store session_id in user attributes for later retrieval
    event['response']['autoConfirmUser'] = False
    return event


# Custom Authentication Challenge: Present LiveID step-up
def define_auth_challenge(event, context):
    if event['request']['session'] and \
       len(event['request']['session']) > 0 and \
       event['request']['session'][-1]['challengeResult']:
        event['response']['issueTokens'] = True
    else:
        event['response']['issueTokens'] = False
        event['response']['challengeName'] = 'CUSTOM_CHALLENGE'
    return event


def create_auth_challenge(event, context):
    # Trigger 1Kosmos LiveID step-up
    stepup = requests.post(
        f"https://{BLOCKID_TENANT}.1kosmos.net/v1/auth/stepup",
        headers={"Authorization": f"Bearer {BLOCKID_API_KEY}"},
        json={
            "user_id": event['request']['userAttributes'].get('custom:blockid_sub'),
            "reason_code": "high_value_transaction",
            "timeout_seconds": 300
        }
    )

    challenge = stepup.json()
    event['response']['publicChallengeParameters'] = {
        'challenge_id': challenge['challenge_id'],
        'challenge_url': challenge['challenge_url']
    }
    event['response']['privateChallengeParameters'] = {
        'challenge_id': challenge['challenge_id']
    }
    return event


def verify_auth_challenge(event, context):
    challenge_id = event['request']['privateChallengeParameters']['challenge_id']

    # Check 1Kosmos step-up result
    result = requests.get(
        f"https://{BLOCKID_TENANT}.1kosmos.net/v1/auth/stepup/{challenge_id}/result",
        headers={"Authorization": f"Bearer {BLOCKID_API_KEY}"}
    )

    stepup_result = result.json()
    event['response']['answerCorrect'] = (
        stepup_result.get('match_result') == True and
        stepup_result.get('liveness_verified') == True
    )
    return event

Mechanism C: Amplify SDK integration

The 1Kosmos JavaScript SDK or mobile SDK is embedded alongside the AWS Amplify Auth library. The client application orchestrates the proofing flow and passes the verification result to Cognito via custom attributes during sign-up.

Step-up verification flow

Cognito's Custom Authentication Flow supports multi-step challenges. A step-up implementation inserts a 1Kosmos LiveID challenge as a CUSTOM_CHALLENGE in the authentication flow. The Define Auth Challenge Lambda evaluates the request context (e.g., API Gateway custom header indicating a high-value transaction) and issues a 1Kosmos biometric challenge. The Verify Auth Challenge Response Lambda validates the signed result from 1Kosmos before issuing tokens. This integrates with AWS API Gateway for transaction-level step-up in serverless architectures.

AWS architecture pattern:

Transform how you verify and authenticate

Secure onboarding, eliminate passwords, and stop fraud on one platform. Schedule a demo and see it in action.

Request a demo

Talk to sales

Transform how you verify and authenticate

Secure onboarding, eliminate passwords, and stop fraud on one platform. Schedule a demo and see it in action.

Request a demo

Talk to sales

Transform how you verify and authenticate

Secure onboarding, eliminate passwords, and stop fraud on one platform. Schedule a demo and see it in action.

Request a demo

Talk to sales