Embed Size (px)
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Tim Hunt, Sr. Product Manager, Amazon Cognito
April 19, 2016
Announcements for Mobile Developers
Amazon Cognito Identity
Topics
• User identities in Amazon Cognito
• Example use case
• Key new features
• Demo
• Q&A
User identities in Amazon
Cognito
Manage authenticated
and guest users across
identity providers
Federated Identity
Management
Synchronize user’s data
across devices and
platforms via the cloud
Data Synchronization
Securely access AWS
services from mobile
devices and platforms
Secure AWS Access
GuestYour own auth
Amazon Cognito Identity Amazon Cognito Sync
Amazon Cognito Until Now
k/v data
Amazon Cognito Sync
User Data
Storage and
Sync
Any Platform
iOS/Android/FireOS
Store user data, preferences, and stateSave app and device data to the cloud and merge
them after login
Cross-device / Cross-OS Sync Sync user data and preferences across devices
with a few lines of code
Work offlineData always stored in local SQLite DB first
Works seamlessly with intermittent or no
connectivity
k/v data
Identity pool
No back endSimple client SDK eliminates need for server
side code
Amazon
API Gateway
Sign in with
Or
Username
Password
Sign In
Or
Start as a guest
Amazon Cognito IdentityFederated Identities and Secure Access to AWS
Service for Apps
Authenticate via 3rd
party Identity Providers
Amazon Cognito Identity and User Experience Today
Guest Access
Authenticate via
Developer Provided
Authentication
Amazon Cognito
Identity provides
temporary credentials
to securely access
your resources
Amazon
DynamoDB
Amazon S3
Amazon Cognito IdentityFederated Identities and Secure Access to AWS
Service for Apps
Authenticate via 3rd
party Identity Providers
Most Developers Don’t Want to Build a User
Authentication System
Guest Access
Authenticate via
Developer Provided
Authentication
Sign in with
Or
Username
Password
Sign In
Or
Start as a guest
Developers do not want to
take on the undifferentiated
heavy lifting to:
• Build and maintain a
directory
• Get security right
• Support workflows like
forgot password
• Scale as their user base
grows
Introducing Sign-Up and Sign-In with Your User
Pools
Add sign-up and sign-in
easily to your mobile and
web apps
Easy User Management
Verify phone numbers and
email addresses and offer
multi-factor authentication
Enhanced Security Features
Use our simple, secure, low-
cost, and fully managed
service to create and
maintain a user directory
that scales to 100s of
millions of users
Managed User Directory
Example Use Case:
Ramesh Adabala, Principal Architect
Asurion
Mobile Protection Sub Growth
Worldwide PresenceQuick Facts
• Founded in 1987
• 15,000 employees
• Serving more then 280 million consumers globally through our operations in 14 countries
• End-to-end (white label) solutions
• Experience supporting operator captives
Asurion is the world’s largest device support and protection company
Serving over 280 Million customers globally
United States• Headquarters• Care Centers• Technology & Logistics Center
CanadaCare & Logistics Centers
EuropeUK, Germany, France
Korea• Care Center• Logistics Center• Corporate Office
Japan• Care Center• Logistics Center• Corporate Office
Hong Kong• Asurion Asia
Headquarters• Technology and
Logistics
Australia:• New nationwide services
Africa:• Care Centre
China:• Nationwide service Two
operators
Russia• Care Center• Logistics Center• Corporate Office
Silicon ValleySoftware Services Dev Teams
1522
2532
4250
66
87
96100
107111
115
2000 2005 2011
Millions of
Mobile Protection
subscribers
Mexico CityAMX launch office
Premier support / protection apps
Asurion Use Case for Amazon Cognito
Asurion
Mobile
Apps
Asurion
Websites
Endpoints on
Amazon EC2
Asurion Private
CloudAmazon
CloudFront AWS Lambda
functions
Amazon
Cognito Identity
AWS Direct
Connect
V
Voltage
Key Servers
API Gateway
Backend AWS ServicesIAM
API calls
• 40 million identities for Asurion mobile applications
• 1 million authentication requests per day
• Need for a global and highly available B2C IAM service - North America, Europe, Asia
• Access Authorization through IAM roles and policies
• User provisioning based on the eligibility checks against On-Premises APIs
• User Identity and other sensitive data to be encrypted using Asurion hosted voltage keys and crypto library
AWS WAF
Amazon API
Gateway
Registration
Workflow
With an
Identity Pool ID
APIs for
Unauthenticated
Role
Asurion User Sign-UpEnd Users
App with AWS
Mobile SDK
User Registration
(Userid, pwd,
email, MDN)
Amazon Cognito AWS Lambda
Post
Confirmation
(confirmation email)
Customize
Message
(OTP Email)
Pre
Sign-Up
(Input Validations)Validation errors
Cognito
Workflow
Email with Registration
confirmation
Cognito
Store
Asurion Services
Voltage Crypto
Service
Asurion Customer
eligibility Service
Amazon API Gateway
Fix
Validation errors
Submit the OTP code
Ready to login
Email with OTP code
Asurion User Sign-In
User
Authentication
(userid, pwd)
Amazon Cognito
Lambda
Amazon API Gateway
User Authentication
With an Identity Pool
AWS Temporary
Credentials for Cognito
Authenticated Role
Elastic Beanstalk
Back-end Services
APIs for
Authenticated
Role
End Users
App with AWS
Mobile SDK
Request with
AWS Creds + API Key
Response
Build the API
Gateway client with
AWS credentials
Call the APIs using
the AWS credentials
SDK Supports
- AWS Creds caching
- Creds renewal
Why Asurion Selected Amazon Cognito
• Support for wide variety of Identity models
• Custom: Your User Pool, Developer Identities
• 3rd party: Amazon, Facebook, Google, Twitter etc.
• Extensible provisioning workflow steps with Lambda function support
• Adaptive authentication support using an OTP thru Email or SNS
• Out-of-Box support for identity functions such as:
• Sign-Up
• Forgot Password
• Change Password
• Use of IAM roles for fine grained user authorization
• Scalable service with global presence
• Good SDK support for all mobile and web platforms
Key New Features
Comprehensive User Scenarios
Email or phone number
verification
Forgot Password
User sign-up and sign-
in
Users verify their email address or phone number to confirm their account
Users can change their password if they forget it
Users sign up using email, phone number or user name and password.
Users can then sign in
User Profile Retrieve and update user profiles, including custom attributes
SMS-based MFAIf enabled, users complete Multi-Factor Authentication (MFA) with a confirmation
code via SMS as part of sign-in and forgot password flows
Comprehensive Administrator Scenarios
Manage users in a
User Pool
Select Email and
Phone Verification
Customize with AWS
Lambda Triggers
Set up Password
Policies
Create and manage
User Pools
List, search, and perform actions on specific user(s) in the User Pool
Configure verifications of users’ email addresses and phone numbers (via SMS)
Create functions in AWS Lambda to customize workflows
Control password requirements like minimum length, uppercase, and inclusion
of special characters
Create, configure and delete multiple User Pools in their AWS account
Define Attributes Select required attributes and define custom user attributes
Secure Sign-in Made Easy
Token-based
Authentication
Secure Remote
Password Protocol
SMS-based Multi-factor
Authentication
Uses tokens based on OpenID Connect (OIDC) and OAuth 2.0 standards
Uses Secure Remote Password (SRP) during sign-in for secure password
handling end to end
Enables your end users to use the text messaging functionality of a mobile
phone as an extra layer of security
Customization using AWS Lambda hooks
AWS Lambda Hook Example Scenarios
Pre user sign-upCustom validation to accept or deny the sign-
up request
Custom messageAdvanced customization and localization of
verification messages
Pre user sign-inCustom validation to accept or deny the sign-
in request
Post user sign-in Event logging for custom analytics
Post user confirmationCustom welcome messages or event logging
for custom analytics
Amazon Cognito User and Federated Identities
Amazon Cognito –
Your User Pool
User
Sign-in1
Returns Access
and ID Tokens2
Amazon Cognito -
Federated Identities(Identity Pool)
Get AWS scoped
credentials
3
Access
to AWS Services
4
Amazon
DynamoDB
Amazon
S3
Amazon
API Gateway
Demo
Resources Available Today
• SDKs for iOS, Android, and JavaScript
• Sample apps for iOS and Android
• AWS Mobile Blog article describes them
• Developer Guide
• API Reference Guide
Get Started…
…by visiting aws.amazon.com/cognito/
Thank You!
Q&A
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Appendix
