Hey everyone! I'm developing a mobile app using Flutter that's hosted on AWS, and I need some guidance on designing a secure login process for a unique feature. The app includes a 'diary' function where users can create and save personal notes. For privacy, each user has a real diary and a decoy diary, both accessible through the same password field. Depending on which password the user enters, they should either access their real diary or the decoy one. Each diary has its own unique password.
Currently, I'm using Cognito for user authentication via Google, but I'm uncertain if it's the right tool for implementing this type of login flow, as I couldn't find any relevant information. One alternative I considered is storing hashed passwords in DynamoDB and using a Lambda function to verify passwords against both hashes. This seems simple, but I'm not entirely confident about its safety. I'd love to get your thoughts and suggestions on how to approach this!
5 Answers
I'm curious why you’ve gone with the fake diary approach at all. It's somewhat problematic to route users differently based on their password input. A better method might be to focus on robust user authentication so you don't need this honeypot strategy.
Using Cognito or Google for your identity provider (IdP) won't work for this scenario since they won't handle the second password and don’t even know the original password. If you want this dual diary access, you’ll probably need to create your own IdP. Honestly, I would recommend rethinking your approach to align more closely with the tools you're using without complicating things too much.
This feels like a classic case of creating a solution for a problem that doesn't really exist. Just be wary of where this could lead. I hope this isn’t becoming a trend where gimmicky features like these are paired with AI-generated concepts that might divert from providing real value.
This concept may not be practical long-term, but if it’s more of a fun side project, here's an idea: Log users in normally with Cognito and only show the real diary. Then, add a feature to unlock the real diary with a password input; if it matches, display the real diary, otherwise show the fake one. You could use the password as an encryption key—store a hash (like with argon2d) and keep the diary content encrypted. This way, losing the password would mean you can't decrypt the real diary, which aligns with how secure encryption apps work.
Storing the fake diary locally and using a second password to unlock it might be a simpler solution. Why keep the fake diary on your servers when you can just manage that locally? It could streamline your design while still keeping the function you want!
Related Questions
How to Build a Custom GPT Journalist That Posts Directly to WordPress
Fix Not Being Able To Add New Categories With Intuitive Category Checklist For Wordpress
Get Real User IP Without Installing Cloudflare Apache Module
How to Get Total Line Count In Visual Studio 2013 Without Addons
Install and Configure PhpMyAdmin on Centos 7
How To Setup PostfixAdmin With Dovecot and Postfix Virtual Mailbox