Create, recover, or delete your account securely

This demo uses a two-step email verification flow with OTP for account creation, password recovery, and user deletion.

1. Email
2. OTP
3. Final details

Step 1: Verify your email

Submit your email first. We will send a one-time code to that address.

AWS Well-Architected Security Pillar alignment

This demo is a reference implementation designed to illustrate practical security choices in an AWS serverless architecture. It is intentionally simplified, but it maps directly to the AWS Well-Architected Security Pillar across identity, data protection, detection, infrastructure protection, incident response, and application security.

Security foundations

Each sensitive action follows a zero-trust mindset: requests are treated as untrusted by default, and the design aims to support least-privilege access with narrow request boundaries to reduce exposure of sensitive data.

Identity and access management

OTP is used to verify email ownership and as an additional verification step alongside the password for sensitive actions such as login and deletion. Passwords are required for login, account creation, and deletion.

Detection

Request IDs are logged to support traceability without exposing secrets, and the logging pattern can be extended to CloudWatch alerting for anomaly detection.

Infrastructure protection

The architecture is fully serverless and uses strict API boundaries, along with restrictive CORS, to reduce unnecessary attack surface. The backend is stateless, with no application server persisting runtime state between invocations.

Data protection

Secrets are hashed with one-way cryptographic functions before being stored in the database, reducing exposure if storage is accessed by authorized operators. Transport security is enforced with TLS 1.3+ to protect data in transit. Query parameters are URL-encoded for correctness, while confidentiality in transit is provided by TLS.

Incident response

OTP expiry, clear failure states, and controlled delete flows support safe recovery and response.

Application security

User input is validated on the client side before being sent to the API. Strict CORS helps limit which browser origins can call the API, but backend validation remains the primary security control.

Notes and considerations

This is a demo, not a production service. It intentionally highlights both strengths and trade-offs, including client-side compromise, email-based OTP limitations, static secret questions, cloud-provider dependency, and jurisdictional data considerations.

Content disclaimer

This page was created through a human-led process, with AI used for polishing, wording refinement, and presentation assistance. The core product thinking, architecture decisions, security analysis, and overall design direction are human-authored.

What this demo does well

It keeps the workflow simple to understand, shows security as a deliberate design choice, and demonstrates how AWS serverless services can support a secure, explainable identity flow.

Risk and trade-offs

Client-side compromise

Even with TLS 1.3+, secrets can still be exposed if the client device is compromised by malware, remote access tools, or keyloggers.

Email OTP limitations

OTP via email is only effective if the attacker does not already control the victim’s email account or device session.

Static recovery questions

Static secret questions can be vulnerable to social engineering. Requiring three correct answers reduces risk, but does not eliminate it.

Cloud provider dependency

Using Lambda, DynamoDB, and API Gateway improves operational simplicity and elasticity, but introduces some cloud-provider lock-in compared with container-based portability.

Data jurisdiction

The demo keeps data collection minimal and uses a consent-driven flow, but production deployments should still consider regional jurisdiction, retention, and compliance requirements.