Introduction

AWS Rekognition is a cloud-based AI service that offers computer vision capabilities for analyzing and processing images, and can be used to detect faces and ID cards, store them in a collection, and compare them to other faces. This guide shows how to use Descope's AWS Rekognition Connector to achieve facial recognition in your authentication flow.

Items to Note

  • This connector is not suited to work when authenticating with the following authentication methods:
    1. SAML
    2. Microsoft Azure OAuth
  • AWS Rekogition does not check ID card authenticity

How to Configure


You can begin the configuration with two simple steps listed below.

  1. Generate Access Key ID and Secret Access Key from AWS IAM. The user associated with the keys must have the the Amazon Rekognition Full Access policy attached.
  2. Configure the connector with the required parameters, and save your configuration by clicking Create:
Setup connector

How to Register a User

You can register a user to a collection using their ID (identity) document. This is equivalent to signing the user up to the service. Registration requires an identification document image and an external ID (automatically populated using the user's identifier).

To register a user, follow these steps:

  1. In your Sign Up flow, add an Upload Document component to a screen:
Upload document
  1. Then, add the AWS Rekognition / Register action block to the flow, and link it to the screen created in the previous step. It's a good idea to use a meaningful context key value (such as register, in the example below).
Register step
  1. Finally, add a new conditional block to the flow, and link it to the AWS Rekognition / Register action block. In the conditional block, you can use the information received from the previous step, which includes:
  • documentConfidence: Scale of 0-100 - the confidence level when checking if it is a valid ID (the higher the score - the higher the confidence). This is used to verify that the user is legitimate and can proceed to complete the sign up process.

  • existingSearchConfidence: Scale of 0-100 - the confidence level when checking if its ID already exists in the collection. This is used to identify if a user that already exists in your database. If so, then it should skip sign up and proceed directly to the sign in process.

Configure the condition based on the parameters mentioned above, to determine whether to accept the registration or not, and how to handle the different use cases:

Post register condition

An example of what the flow looks like:

Sign up flow

How to Verify a User

This section covers how you can verify if a user is part of the previously defined collection using their photo. This is equivalent to adding an extra layer of verification, such as multi-factor authentication (MFA) or step up. Verification requires a selfie photo and an external ID (automatically populated using the user's identifier).

To verify a user as part of an MFA process, follow these steps:

  1. Design the flow to include a sign in process using your desired authentication methods.
  2. Add the Take a Photo component to a new screen in your flow, after its sign in section:
Take a photo
  1. Then, add the AWS Rekognition / Register action block to the flow, and link it to the screen created in the previous step. It's a good idea to use a meaningful context key value (such as verify, in the example below).
Verify step
  1. Add a new condition block to the flow, and connect it to the AWS Rekognition / Register action block. In the condition, you can use the information received from the previous step, which includes:
  • externalIdMatched: True or False - returns true if the submitted external ID exists in the collection. This means that the user already exists in the collection and can continue with the verification process.

  • confidence: Scale of 0-100 - the confidence level of the submitted photo already existing in the collection (the higher the score - the higher the confidence). This score allows your to accept the user's MFA - and approve its sign in attempt.

Configure the condition based on the parameters mentioned above, to determine whether to accept the verification or not, and how to handle the different use cases:

Post verify condition

An example of what the flow looks like:

Sign In flow

And that's it! You should now be able to use AWS Rekogition in your authentication flow, using Descope.