Cognito authentication APIs support various authentication flow types, including ADMIN_NO_SRP_AUTH and USER_PASSWORD_AUTH. Both ADMIN_NO_SRP_AUTH and USER_PASSWORD_AUTH support sending the username and the password from the client to the IDP, without SRP protocol.
USER_PASSWORD_AUTH also supports user migration from a legacy application, without actually requiring them to reset their passwords. However, AWS documentation suggests that we should update our auth flow type to a more secure once (for example, using SRP) after the migration is complete.
ADMIN_NO_SRP_AUTH is only supported for server-side authentication using admin-initiate-auth and admin-respond-to-auth-challenge, and is not supported for client-side authentication using initiate-auth and respond-to-auth-challenge.