Secure user sign-up and sign-in is critical for many mobile and web applications. Amazon Cognito is the easiest way to secure your mobile and web applications by providing a comprehensive identity solution for end user management, registration, sign-in, and security. In this product deep dive, we will walk through Cognito’s feature set, which includes serverless flows for user management and sign-in, a fully managed user directory, integrations with existing corporate directories, and many other features. In addition, we will cover key use cases and discuss the associated benefits.
2. Identity is mission critical for your applications
Security
Revenue
Generation
Application
Backbone
Know your users
Monitor engagement
with your application
Store and manage
user data
Personalize your
users’ experiences
Protect sensitive data
Secure business-
critical processes
User Identity
3. Developing Auth Infrastructure is Difficult
• Need to develop a reliable user directory to manage identities
• Handling user data and passwords and protecting privacy
• Prioritizing scalability of your infrastructure upfront
• Implementing token-based authentication
• Support for multiple social identity providers
• Federation with corporate directories for B2E applications
1
2
3
5
6
4
4. Amazon Cognito Identity
Facebook
Corporate
OIDC
Sign in with
Your User Pools
You can easily and securely add sign-up
and sign-in functionality to your mobile and
web apps with a fully-managed service that
scales to support 100s of millions of users.
Federated Identities
Your users can sign in with third-party
identity providers, such as Facebook and
SAML providers, and you can control
access to AWS resources from your app.
SAML
Sign in
Username
Password
Submit
6. Amazon Cognito: Identity Management Scenarios
Business to Consumer
IoT Scenarios
Business to Employee
SAML
Federation
Enterprise
Directory
Partner A
Partner B
Business to Business
AWS IoT
API Gateway with Lambda
Deny
Allow
Custom
Authorizer
Access control for AWS
Resources
AWS IAM
7. Your User Pools
Add user sign-up and sign-
in easily to your mobile and
web apps without worrying
about server infrastructure
Serverless Authentication
and User Management
Verify phone numbers and
email addresses and offer
multi-factor authentication
Enhanced Security
Features
Launch a simple, secure,
low-cost, and fully managed
service to create and
maintain a user directory
that scales to 100s of
millions of users
Managed User Directory
1 2 3
8. Comprehensive User Flows
Email or Phone
Number Verification
Forgot Password
User Sign-Up and
Sign-In
Require users to verify their email address or phone number prior to activating
their account with a one-time password challenge
Provide users the ability to change their password when they forget it with a one-
time password challenge
Allow users to sign up and sign in using an email, phone number, or username
(and password) for your application.
User Profile Data Enable users to view and update their profile data – including custom attributes
SMS Multifactor
Authentication
Require users to complete a second factor of authentication by inputting a
security code received via SMS as part of the sign-in flow
Customize these User Flows Using Lambda
Token Based
Authentication
Use JSON Web Tokens (JWTs) based on OpenID Connect (OIDC) and OAuth
2.0 standards for user authentication in your backend
9. Custom User Flows Using Lambda Hooks
9
Category Lambda Hook Example Scenarios
Custom
Authentication
Flow
Define Auth Challenge Determines the next challenge in a custom auth flow
Create Auth Challenge Creates a challenge in a custom auth flow
Verify Auth Challenge Response Determines if a response is correct in a custom auth flow
Authentication
Events
Pre Authentication Custom validation to accept or deny the sign-in request
Post Authentication Event logging for custom analytics
Sign-Up
Pre Sign-up Custom validation to accept or deny the sign-up request
Post Confirmation Custom welcome messages or event logging for custom analytics
Messages Custom Message Advanced customization and localization of messages
11. Extensive Admin Capabilities
Define Custom
Attributes
Set per-App
Permissions
Set up Password
Policies
Create and manage
User Pools
Define custom attributes for your user profiles
Set read and write permissions for each user attribute on a per-app basis
Enforce password policies like minimum length and requirement of certain
types of characters
Create, configure, and delete multiple user pools across AWS regions
Require Submission
of Attribute Data
Select which attributes must be provided by the user prior to completion of
the sign-up process
Search Users
Search users based on a full match or a prefix match of their attributes
through the console or Admin API
Manage Users
Conduct admin actions, such as reset user password, confirm user, enable
MFA, delete user, and global sign-out
12. Remembered Devices
Remember the devices
associated with your users
1
How do I reduce the friction
that my users face when
having to complete the 2nd
factor challenge on every sign-
in?
How do I build logic to
associate devices with my
users to achieve my specific
business requirements?
2
13. Importing Existing Users
Import users into your Cognito user pool by
uploading .csv files
Users will create a new password when they
first sign-in
Each imported user must have an email
address or a phone number
14. Your User Pools and Amazon API Gateway
Native Support Custom Authorizer Function
Control access to your APIs using bearer
token authentication strategies, such as
OAuth or SAML – API Gateway’s custom
authorizer feature uses bearer tokens to
determine access privileges
Configure API Gateway to accept ID tokens
to authorize users based on their existence
in a user pool – User Pools works together
with API Gateway to authorize API requests
1 2
15. Federate with Third Party Identity Providers
Username
Password
Sign In
SAML
Identity Provider
Example: Active
Directory with ADFS
Amazon Cognito
2. Get AWS credentials
API Gateway
Your APIs
DynamoDB S3
Lambda
16. Example Use Case: Asurion
Ravi Tiyyagura, Sr. Director, Enterprise Architecture
18. Asurion’s continuous innovation is helping 290M customers globally
stay connected while driving loyalty to our partners’ brands
• Founded in the mid 1990’s, Asurion has been serving the communications and retail industries for over 20 years
• Based in Nashville, Tennessee, Asurion has over 17,000 associates worldwide
• Serving more then 290 million consumers globally through our operations in 18 countries:
• Asurion is privately-held with annual revenues in excess of $5.8 billion
• Our management team comes from best-in-class companies with experience across mobile, wireline telecom, logistics, insurance, service
contracts, consulting, customer care, marketing, retail and more
• Asurion partners with the worlds leading mobile carriers, retailers cable satellite and cable providers.
North America
• Global Headquarters
• 15 Corporate Owned
Call Centers
• Logistics Center
South America
• 2 Corporate Offices
Europe
• 3 Corporate Offices
• 1 Corporate Owned Call Center
Asia Pacific
• 13 Corporate Offices
• Logistics Center
• 2 Corporate Owned
Call Centers
• Australia
• Brazil
• Canada
• China/Hong-Kong
• Colombia
• England
• France
• Israel
• Japan
• Korea
• Malaysia
• Mexico
• Philippines
• Peru
• Singapore
• Taiwan
• Thailand
• United States
Expanding Global Presence
Corporate Overview
19. Asurion Use Case
• 40 million identities for Asurion mobile applications
• 2 million authentication requests per day
• Need for a global and highly available B2C IAM service - North America, Europe, APAC
• Ability to customize Sign-Up and Sign-In workflow
Asurion
Mobile
Apps
Asurion
Websites
API
Gateway
Endpoints on
Amazon EC2
Asurion Private
CloudAmazon
CloudFront AWS Lambda
functions
Cognito
AWS Direct
Connect
V
Key Servers
API Gateway
Backend AWS Services
AWS
IAM
API calls
WAF
20. Why Asurion Selected Amazon Cognito
• Scalable service with global presence
• Support for wide variety of Identity models
• Custom: Cognito Sign-In, Developer Identities
• 3rd party: Amazon, Facebook, Google, Twitter etc
• Extensible provisioning workflow steps with Lambda function support
• Invite user flow using an OTP delivered via email or SMS
• Out-of-Box support for identity functions such as –
• Sign-Up
• Forgot Password
• Reset Password
• Good SDK support for all mobile and web platforms
21. Asurion implementation
• Multiple apps, starts with Device Identity
• Minimal user input
• Augment Device Identity with User details
• Provisioning based on the eligibility checks against On-Premise APIs
• Identity and sensitive data to be encrypted using Asurion hosted crypto service
• Tighter control over app libraries, for client approvals
• Predictable traffic routing
22. Registration Workflow
With an Identity Pool ID
Asurion Device Sign-Up
End Users
Device Registration
SMS confirmation
Crypto Service
Eligibility Service
Asurion Services
(on AWS) Cognito RDS
Asurion Services
(on-prem)
Submit the OTP code
SMS OTP code
Validate OTP
Check eligibility
Encrypt identity
and sensitive data
Sign-up Create app recordCreate device record
Ready for service
Create Identity
and Refresh tokens
Push tokens
23. Refresh Workflow
Refresh Token
Asurion Device Refresh
End Users
Device Refresh
Refresh app record
Cognito RDS
Refresh Identity
Fetch/Update
app changes
Push
Identity token and
App data
Validate refresh token
and
Issue Identity token
Ready for service
Asurion Services
(on AWS)
24. Registration Workflow
With an Identity Pool ID
Asurion User Sign-Up
End Users
User Registration
Email/SMS confirmation
Crypto Service
Eligibility Service
Cognito RDS
Check eligibility
Encrypt identity
and sensitive data
Update Update app record
Update/Create
user record
Ready for service
Validate Identity Validate Identity
Asurion Services
(on AWS)
Asurion Services
(on-prem)
25. What we learned
• Great collaboration
• Build in a robust testing program
• Weigh the costs and benefits of custom implementation
26. Demo
• Creating a user pool in
Amazon Cognito
Attributes, policies,
verifications, apps,
customizations, etc.
• Importing and creating
users
• Customizing authentication
27. Demo Recap
• Easy to create and
configure user pools
• Several options for
creating and importing
users
• Flows are customizable
through Lambda triggers
28. Groups
Cognito User Pools
Groups and Multiple Authenticated Roles
Group A
IAM Role A
Group B
IAM Role B
…
Authenticated
User Identity
Get
Credentials
Multiple Roles for Authenticated Identities
Cognito Federated Identities
IAM Role and Policy
IAM Role and Policy
IAM Role and Policy
Backend
Resources
MaptodifferentIAMroles
API Gateway
DynamoDB
S3
ControlAccess