Configuration

Initial State

By default, unauthenticated users are redirected to the Sign In flow. You can explicitly redirect to Sign Up or Forgot Password:

Login Mechanisms

Passwordless Authentication

Backend Configuration

For backend setup including Email OTP, SMS OTP, and WebAuthn (Passkey) configuration, see the Passwordless documentation.

Authentication Flows

The Authenticator supports two authentication flows:

Password Flow (Default)

Traditional password-based authentication:

Authenticator(authenticationFlow: .password) { signedInState in
    Text("Welcome!")
}

User Choice Flow

Allows users to choose from available authentication methods:

Authenticator(authenticationFlow: .userChoice()) { signedInState in
    Text("Welcome!")
}

Available Authentication Factors

Preferred Auth Factor

Skip the factor selection step by specifying a preferred factor:

Authenticator(
    authenticationFlow: .userChoice(
        preferredAuthFactor: .webAuthn
    )
) { signedInState in
    Text("Welcome!")
}

When a preferred factor is set:

• If the user has that factor available, they'll use it directly
• If not available, they'll see the factor selection screen

Passkey Prompts

Control when users are prompted to create a passkey:

Authenticator(
    authenticationFlow: .userChoice(
        passkeyPrompts: PasskeyPrompts(
            afterSignUp: .always,  // Prompt after sign-up
            afterSignIn: .never    // Don't prompt after sign-in
        )
    )
) { signedInState in
    Text("Welcome!")
}

PasskeyPrompt Options:

• .always - Always prompt to create a passkey (if user doesn't have one)
• .never - Never prompt to create a passkey

Authentication Flow Steps

When using .userChoice flow, users may encounter these additional steps:

1. signInSelectAuthFactor - User selects their preferred authentication method
2. signInConfirmPassword - User enters password (if password factor selected)
3. promptToCreatePasskey - User is prompted to create a passkey
4. passkeyCreated - Confirmation after successful passkey creation

Complete Example

Authenticator(
    authenticationFlow: .userChoice(
        preferredAuthFactor: .webAuthn,
        passkeyPrompts: PasskeyPrompts(
            afterSignUp: .always,
            afterSignIn: .always
        )
    )
) { signedInState in
    Text("Welcome \(signedInState.user.username)!")
}

Sign Up Attributes

The Authenticator automatically renders most Cognito User Pools attributes, with the exception of address, gender, locale, picture, updated_at, and zoneinfo. Because these are often app-specific, they can be customized via Sign Up fields.

Authenticator { _ in
    Text("You are logged in!")
}

Authenticator { _ in
    Text("You are logged in!")
}
.signUpFields([
    .username(),
    .password(),
    .confirmPassword(),
    .email(),
    .phoneNumber(),
    .address(),
    .birthDate(),
    .gender(),
    .givenName(),
    .middleName(),
    .familyName(),
    .name(),
    .nickname(),
    .preferredUsername(),
    .profile(),
    .website()
])

Hide Sign Up Button

The Authenticator has an option to hide the Sign Up link button that appears in the Sign In view:

Authenticator { _ in
    Text("You are logged in!")
}
.hidesSignUpButton()

TOTP Issuer

The TOTP issuer is the name that will be shown in TOTP applications preceding the account name. In most cases, this should be the name of your app. For example, if your app is called "My App", your user will see "My App" - "username" in their TOTP app. This can be customized by adding the totpOptions argument to the Authenticator component with a value for issuer.

Note: Unless changed, the default issuer is the application name retrieved from the project configuration. The key for this value is CFBundleDisplayName on iOS found in info.plist.

Authenticator(totpOptions: .init(issuer: "My App")) { _ in
    Text("Signed In Content")
}