add user sign in and management to your apps with amazon cognito

Download Add User Sign in and Management to your Apps with Amazon Cognito

If you can't read please download the document

Post on 14-Apr-2017




1 download

Embed Size (px)


Tim Hunt, Sr. Product Manager, Amazon Cognito

October 26, 2016Add User Sign-In and Management to Your Apps with Amazon Cognito

2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

TopicsAWS Mobile Services and Amazon CognitoIntroduction to Your User PoolsSummary of FeaturesDemoDeeper Dive in a Few AreasGetting StartedQ & A

The Best Mobile Apps Run on AWS


Authenticate usersAnalyze User BehaviorStore and share mediaSynchronize dataDeliver mediaAmazon Cognito (Sync)

Amazon Cognito(Identity)Amazon S3

Amazon CloudFrontStore dataAmazon DynamoDBAmazon RDS

Track Retention

Amazon Mobile AnalyticsSend push notificationsAmazon SNS Mobile Push

Server-side logicLambda

Device Farm

Test your app

Amazon Mobile AnalyticsBuild and Scale Your Apps on AWS


AWS Mobile Hub: Fastest Way to Build Apps on AWS


Comprehensive Support for Identity Use Cases6


Manage authenticated and guest users access to your AWS resourcesFederated IdentitiesSynchronize users data across devices and platforms via the cloudData SynchronizationAdd sign-up and sign-in with a fully managed user directoryYour User Pool


Your ownauth

Amazon Cognito IdentityAmazon Cognito Sync

Amazon Cognito Identity and Sync

k/v data



Sign in with FacebookOrUsernamePasswordSign InOrStart as a guestAuthenticate via 3rd party Identity ProvidersAmazon Cognito Identity and User ExperienceGuest Access

Your User Pools in Amazon Cognito

Amazon Cognito Identity provides temporary credentials to securely access your resources


API Gateway


Your User Pools9Add user sign-up and sign-in easily to your mobile and web apps without worrying about server infrastructureServerless Authentication and User ManagementVerify phone numbers and email addresses and offer multi-factor authenticationEnhanced Security FeaturesLaunch a simple, low-cost, and fully managed service to create and maintain a user directory that can scale to 100s of millions of usersManaged User Directory1



Comprehensive User Flows10Email or phone number verificationForgot passwordUser registration and authenticationUsers verify their email address or phone number prior to activating an accountUsers can change their password if they forget itUsers can sign up and sign in using an email, phone number, or username (and password)User profile dataUser can view and update profile data including custom attributesSMS-based MFAUsers complete Multi-Factor Authentication (MFA) by inputting a security code received via SMS as part of the sign-in flowCustomize these user flows using Lambda


Custom User Flows Using Lambda Hooks11CategoryLambda HookExample ScenariosCustom Authentication FlowDefine Auth ChallengeDetermines the next challenge in a custom auth flowCreate Auth ChallengeCreates a challenge in a custom auth flowVerify Auth Challenge ResponseDetermines if a response is correct in a custom auth flowAuthentication EventsPre AuthenticationCustom validation to accept or deny the sign-in requestPost AuthenticationEvent logging for custom analyticsSign-UpPre Sign-upCustom validation to accept or deny the sign-up requestPost ConfirmationCustom welcome messages or event logging for custom analyticsMessagesCustom MessageAdvanced customization and localization of messages


Custom Auth flow12

Amazon Cognito Your User Pools

Custom Authentication Challenges(e.g., CAPTCHA or custom 2nd factors)



Extensive Admin Capabilities13Define custom attributesSet per-app permissionsSet up password policiesCreate and manageuser poolsDefine custom attributes for your user profilesSet read and write permissions for each user attribute on a per-app basisEnforce password policies like minimum length and requirements for different character typesCreate, configure, and delete user pools across AWS regionsRequire submission of attribute dataSelect which attributes must be provided by the user to complete sign-upSearch for usersSearch for users based on a full match or a prefix match of their attributes through the console or admin APIManage usersConduct admin actions, such as reset user password, confirm user, enable MFA, delete user, and global sign-out


Remembered Devices14

Remember the devices associated with your users

1Reduce the friction that your users face with MFA by suppressing the 2nd factor challenge from remembered devicesBuild logic to associate devices with your users to achieve specific business requirements such as remote device signout2


Amazon Cognito User Pools and Amazon API Gateway15Custom Authorizer FunctionNative SupportConfigure API Gateway to accept Cognito user pool ID tokens to authorize usersControl access to your APIs by inspecting tokens provided by Cognito user pools


Importing Existing UsersImport users into your Cognito user pool by uploading .csv filesUsers will create a new password when they first sign-inEach imported user must have an email address or a phone number

Control Attribute PermissionsChoose which user attributes each app can read and write





Creating Users as an AdministratorDevelopers or administrators can create users in a user pool and send them an optional, customizable invitation email or SMS messageNew users sign in with a temporary password and create a new passwordUser pools can be configured to only allow users created by an administrator

Additional User Pool Features Customizable email addresses Customize the "from" email address of emails you send to users in a user pool.Admin sign-in Your app can sign in users from back-end servers or Lambda functions.Global sign-out Allow a user to sign out from all signed-in devices or browsers.Custom expiration period Set an expiration period for refresh tokens.

Building an AWS serverless platform that manages sensitive customer data requires an authentication strategy that protects the information from unauthorized access. Using the Amazon Cognito user pool feature together with AWS Lambda, were developing a flexible, fully integrated solution that can scale effortlessly a powerful tool that will be critical in keeping our customers data secure.

Feedback from our beta customers20It is critical for us to provide a secure and simple sign-up and sign-in experience for our tens of millions of end users. With Amazon Cognito, we can enable that without having to worry about building and managing any backend infrastructure.



Understanding User StatusNew users start with Registered statusUsers must be confirmed before they can sign-inUsers must be disabled before they can be deletedRegistered(cannot sign in)Sign-upConfirmedDisabledAdminConfirmConfirm viaemail/phoneorDisableDelete(deleted)

Lambda Trigger:Pre Sign-up

Reset RequiredUser importForce Change PasswordAdmin Create UserReset passwordEnable

Verifying Email and PhoneYour User Pools provide built-in verification of email addresses and phone numbersA six digit code is sent as an email message or SMS text and is submitted via the VerifyUserAttribute APIIf both a phone number and email address are provided at sign-up, a verification code will only be sent to the phoneYour app can call GetUser to see if an email address or phone number is awaiting verification, and then call GetUserAttributeVerificationCode to initiate the verification

Your verification code is 938764

Using Aliases in Amazon Cognito User PoolsSign-up and sign-in with email is very common todayAliases in Amazon Cognito support use of email, phone or preferred user name in place of the user nameA username value must be provided at sign-up, but it could be generated by the app and not exposed to the end userPhone numbers and email addresses must be unique and must be verified before they can be used to sign-in

My AppEmailPasswordSign InSign Up

Cognito User and Federated IdentitiesCognito User Identities(Your User Pool)User

1Returns Accessand ID Tokens2

Cognito Federated Identities(Identity Pool)Get AWS scoped credentials3Accessto AWS Services



API Gateway

Getting Started with Your User PoolsSee for links toGetting Started GuidesDocumentation, SDKs, and Sample AppsVideosPresentation SlidesBlog PostsDeveloper Forums

Q & AVisit to learn moreFind resources at questions at the AWS Developer Forum or Stack Overflow (amazon-cognito tag)


AWS ResourcesAuthentication Supported Providers:Authorization / Permission

Cognito Functional DiagramSocial Identity ProvidersDeveloper ProvidedEnterprise Identity Provider via SAMLAuthenticate users and generate identity tokensValidates identity tokens and provides credentials to access AWS resources

Cognito User PoolCognito Federated Identities (Identity Pool)

PricingPricing is based on Monthly Active Users (MAUs) with volume-based discountingA user is counted as a MAU if there is an identity operation related to that user within a calendar month (e.g., sign-up, sign-in, token refresh, or password change)No charge for subsequent sessions or for inactive usersSMS charges are billed separately (using the SNS Global SMS feature)Pricing TierPrice per 1K MAUsFirst 50,000 MAUsFreeNext 50,000 MAUs$5.50Next 900,000 MAUs$4.60Next 9,000,000 MAUs$3.25>10,000,000 MAUs$2.50

Amazon Cognito SyncUser Data Storage


View more >