We are setting up an authentication system using Cognito and Amplify. We noticed that Amplify suggests Secure Remote Password as the default.
I can understand the benefits of SRP for protecting against man-in-the-middle and such attacks. But it seems there is a downside too: for example, the server is unable to perform strength checks or to call Have I Been Pwned to check if the password has been compromised. By choosing SRP, it seems like we are opening ourselves to more of our users choosing “Password123!” as their password.
I haven’t been able to find much discussion on whether SRP is really a good choice or not. Does anyone know of standards or best practices I can refer to?