© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Tim Hunt, Sr. Product Manager – Amazon Cognito

Vikram Madan, Sr. Product Manager – Amazon Cognito

Ravi Tiyyagura, Senior Director – Asurion

11/30/2016

Add User Sign-In, User Management, and

Security to your Mobile and Web

Applications with Amazon Cognito

Identity is mission critical for your applications

SecurityRevenue

Generation

Application

Backbone

Know your users

Monitor engagement

with your application

Store and manage

user data

Personalize your

users’ experiences

Protect sensitive data

Secure business-

critical processes

User Identity

Developing Auth Infrastructure is Difficult

• Need to develop a reliable user directory to manage identities

• Handling user data and passwords and protecting privacy

• Prioritizing scalability of your infrastructure upfront

• Implementing token-based authentication

• Support for multiple social identity providers

• Federation with corporate directories for B2E applications

1

2

3

5

6

4

Amazon Cognito Identity

Facebook

Corporate

OIDC

Sign in with

Your User Pools

You can easily and securely add sign-up

and sign-in functionality to your mobile and

web apps with a fully-managed service that

scales to support 100s of millions of users.

Federated Identities

Your users can sign in with third-party

identity providers, such as Facebook and

SAML providers, and you can control

access to AWS resources from your app.

SAML

Sign in

Username

Password

Submit

Comprehensive Support for Identity Use Cases

Amazon Cognito: Identity Management Scenarios

Business to Consumer

IoT Scenarios

Business to Employee

SAML

FederationEnterprise

Directory

Partner A

Partner B

Business to Business

AWS IoT

API Gateway with Lambda

Deny

Allow

Custom

Authorizer

Access control for AWS

Resources

AWS IAM

Your User Pools

Add user sign-up and sign-

in easily to your mobile and

web apps without worrying

about server infrastructure

Serverless Authentication

and User Management

Verify phone numbers and

email addresses and offer

multi-factor authentication

Enhanced Security

Features

Launch a simple, secure,

low-cost, and fully managed

service to create and

maintain a user directory

that scales to 100s of

millions of users

Managed User Directory

1 2 3

Comprehensive User Flows

Email or Phone

Number Verification

Forgot Password

User Sign-Up and

Sign-In

Require users to verify their email address or phone number prior to activating

their account with a one-time password challenge

Provide users the ability to change their password when they forget it with a one-

time password challenge

Allow users to sign up and sign in using an email, phone number, or username

(and password) for your application.

User Profile Data Enable users to view and update their profile data – including custom attributes

SMS Multifactor

AuthenticationRequire users to complete a second factor of authentication by inputting a

security code received via SMS as part of the sign-in flow

Customize these User Flows Using Lambda

Token Based

AuthenticationUse JSON Web Tokens (JWTs) based on OpenID Connect (OIDC) and OAuth

2.0 standards for user authentication in your backend

Custom User Flows Using Lambda Hooks

9

Category Lambda Hook Example Scenarios

Custom

Authentication

Flow

Define Auth Challenge Determines the next challenge in a custom auth flow

Create Auth Challenge Creates a challenge in a custom auth flow

Verify Auth Challenge Response Determines if a response is correct in a custom auth flow

Authentication

Events

Pre Authentication Custom validation to accept or deny the sign-in request

Post Authentication Event logging for custom analytics

Sign-Up

Pre Sign-up Custom validation to accept or deny the sign-up request

Post Confirmation Custom welcome messages or event logging for custom analytics

Messages Custom Message Advanced customization and localization of messages

Custom Auth Flow

Cognito User Pools

Custom Authentication Challenges(e.g., CAPTCHA, passworldless auth, custom 2nd factors)

1

2 5

6

3

4

Extensive Admin Capabilities

Define Custom

Attributes

Set per-App

Permissions

Set up Password

Policies

Create and manage

User Pools

Define custom attributes for your user profiles

Set read and write permissions for each user attribute on a per-app basis

Enforce password policies like minimum length and requirement of certain

types of characters

Create, configure, and delete multiple user pools across AWS regions

Require Submission

of Attribute DataSelect which attributes must be provided by the user prior to completion of

the sign-up process

Search UsersSearch users based on a full match or a prefix match of their attributes

through the console or Admin API

Manage UsersConduct admin actions, such as reset user password, confirm user, enable

MFA, delete user, and global sign-out

Remembered Devices

Remember the devices

associated with your users

1

How do I reduce the friction

that my users face when

having to complete the 2nd

factor challenge on every sign-

in?

How do I build logic to

associate devices with my

users to achieve my specific

business requirements?

2

Importing Existing Users

Import users into your Cognito user pool by uploading .csv files

Users will create a new password when they first sign-in

Each imported user must have an email address or a phone number

Your User Pools and Amazon API Gateway

Native Support Custom Authorizer Function

Control access to your APIs using bearer

token authentication strategies, such as

OAuth or SAML – API Gateway’s custom

authorizer feature uses bearer tokens to

determine access privileges

Configure API Gateway to accept ID tokens

to authorize users based on their existence

in a user pool – User Pools works together

with API Gateway to authorize API requests

1 2

Federate with Third Party Identity Providers

Username

Password

Sign In

SAML

Identity Provider

Example: Active

Directory with ADFS

Amazon Cognito2. Get AWS credentials

API Gateway

Your APIsDynamoDB S3

Lambda

Example Use Case: Asurion

Ravi Tiyyagura, Sr. Director, Enterprise Architecture

Asurion empowers people to make the most of the

technology in their life

Recover

Get you back up and running

when you’re without your device

Soluto Support

Make sure you’re never held

back by technology

Enjoy!

Help you unlock new value from

your devices & applications

© Asurion 2016. All rights reserved

Asurion’s continuous innovation is helping 290M customers globally

stay connected while driving loyalty to our partners’ brands

• Founded in the mid 1990’s, Asurion has been serving the communications and retail industries for over 20 years

• Based in Nashville, Tennessee, Asurion has over 17,000 associates worldwide

• Serving more then 290 million consumers globally through our operations in 18 countries:

• Asurion is privately-held with annual revenues in excess of $5.8 billion

• Our management team comes from best-in-class companies with experience across mobile, wireline telecom, logistics, insurance, service

contracts, consulting, customer care, marketing, retail and more

• Asurion partners with the worlds leading mobile carriers, retailers cable satellite and cable providers.

North America

• Global Headquarters

• 15 Corporate Owned

Call Centers

• Logistics Center

South America

• 2 Corporate Offices

Europe

• 3 Corporate Offices

• 1 Corporate Owned Call Center

Asia Pacific

• 13 Corporate Offices

• Logistics Center

• 2 Corporate Owned

Call Centers

• Australia

• Brazil

• Canada

• China/Hong-Kong

• Colombia

• England

• France

• Israel

• Japan

• Korea

• Malaysia

• Mexico

• Philippines

• Peru

• Singapore

• Taiwan

• Thailand

• United States

Expanding Global Presence

Corporate Overview

Asurion Use Case• 40 million identities for Asurion mobile applications

• 2 million authentication requests per day

• Need for a global and highly available B2C IAM service - North America, Europe, APAC

• Ability to customize Sign-Up and Sign-In workflow

Asurion

Mobile

Apps

Asurion

Websites

API

Gateway

Endpoints on

Amazon EC2

Asurion Private

CloudAmazon

CloudFront AWS Lambda

functions

Cognito

AWS Direct

Connect

V

Key ServersAPI Gateway

Backend AWS ServicesAWS

IAM

API calls

WAF

Why Asurion Selected Amazon Cognito

• Scalable service with global presence

• Support for wide variety of Identity models

• Custom: Cognito Sign-In, Developer Identities

• 3rd party: Amazon, Facebook, Google, Twitter etc

• Extensible provisioning workflow steps with Lambda function support

• Invite user flow using an OTP delivered via email or SMS

• Out-of-Box support for identity functions such as –

• Sign-Up

• Forgot Password

• Reset Password

• Good SDK support for all mobile and web platforms

Asurion implementation

• Multiple apps, starts with Device Identity

• Minimal user input

• Augment Device Identity with User details

• Provisioning based on the eligibility checks against On-Premise APIs

• Identity and sensitive data to be encrypted using Asurion hosted crypto service

• Tighter control over app libraries, for client approvals

• Predictable traffic routing

Registration Workflow

With an Identity Pool ID

Asurion Device Sign-UpEnd Users

Device Registration

SMS confirmation

Crypto Service

Eligibility Service

Asurion Services

(on AWS) Cognito RDS

Asurion Services

(on-prem)

Submit the OTP code

SMS OTP code

Validate OTP

Check eligibility

Encrypt identity

and sensitive data

Sign-up Create app recordCreate device record

Ready for serviceCreate Identity

and Refresh tokensPush tokens

Refresh Workflow

Refresh Token

Asurion Device RefreshEnd Users

Device Refresh

Refresh app record

Cognito RDS

Refresh Identity

Fetch/Update

app changes

Push

Identity token and

App data

Validate refresh token

and

Issue Identity token

Ready for service

Asurion Services

(on AWS)

Registration Workflow

With an Identity Pool ID

Asurion User Sign-UpEnd Users

User Registration

Email/SMS confirmation

Crypto Service

Eligibility Service

Cognito RDS

Check eligibility

Encrypt identity

and sensitive data

Update Update app recordUpdate/Create

user recordReady for service

Validate Identity Validate Identity

Asurion Services

(on AWS)

Asurion Services

(on-prem)

What we learned

• Great collaboration

• Build in a robust testing program

• Weigh the costs and benefits of custom implementation

Demo

• Creating a user pool in

Amazon Cognito

Attributes, policies,

verifications, apps,

customizations, etc.

• Importing and creating

users

• Customizing authentication

Demo Recap

• Easy to create and

configure user pools

• Several options for

creating and importing

users

• Flows are customizable

through Lambda triggers

GroupsCognito User Pools

Groups and Multiple Authenticated Roles

Group A

IAM Role A

Group B

IAM Role B

…

Authenticated

User Identity

Get

Credentials

Multiple Roles for Authenticated IdentitiesCognito Federated Identities

IAM Role and Policy

IAM Role and Policy

IAM Role and Policy

Backend

Resources

Ma

p to

diffe

ren

tIA

M r

ole

s

API Gateway

DynamoDB

S3

Co

ntr

ol A

cce

ss

Thank you!

Remember to complete

your evaluations!