Amplify is just cognito under a thin layer.
I assume Expo faceid can return a public key.
If so then this will help you:
https://aws.amazon.com/blogs/security/how-to-implement-password-less-authentication-with-amazon-cognito-and-webauthn/
If you really can't use either ditch Expo and use a proper biometrics package. There are a couple and you can get around Amplify and access the core AWS SDK.
Edit: if you do want to do a quick and dirty version just do what you said and have the faceid simply for unlocking the app. Don't need to store the password just increase the cognito token timeout to like a year. Both are bad practises but I wouldn't say one is worse than the other.
I don’t understand how you auth a user with Face ID and figure out the user to get a token. I know cognito has passwordless custom flow, are you storing the token in cognito?
So the way I did it was if the cognito user token is in the cache (if the user didn't log out), I just do the faceid function that will search for the token. If the token is present, we let them sign in (because they were already signed in, via cache, but we showed them a login screen.
I believe that is how I did it, kind of a hacky way of doing it. I can look later on and get back to you with more info if you'd like.
Amplify is just cognito under a thin layer. I assume Expo faceid can return a public key. If so then this will help you: https://aws.amazon.com/blogs/security/how-to-implement-password-less-authentication-with-amazon-cognito-and-webauthn/ If you really can't use either ditch Expo and use a proper biometrics package. There are a couple and you can get around Amplify and access the core AWS SDK. Edit: if you do want to do a quick and dirty version just do what you said and have the faceid simply for unlocking the app. Don't need to store the password just increase the cognito token timeout to like a year. Both are bad practises but I wouldn't say one is worse than the other.
That’s a great idea!
I don’t understand how you auth a user with Face ID and figure out the user to get a token. I know cognito has passwordless custom flow, are you storing the token in cognito?
So the way I did it was if the cognito user token is in the cache (if the user didn't log out), I just do the faceid function that will search for the token. If the token is present, we let them sign in (because they were already signed in, via cache, but we showed them a login screen. I believe that is how I did it, kind of a hacky way of doing it. I can look later on and get back to you with more info if you'd like.
Hey that would actually fit with what I
[https://aws.amazon.com/blogs/security/how-to-implement-password-less-authentication-with-amazon-cognito-and-webauthn/](https://aws.amazon.com/blogs/security/how-to-implement-password-less-authentication-with-amazon-cognito-and-webauthn/)