© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Tim Hunt, Sr. Product Manager, Amazon Cognito

June 30, 2016

Getting Started with Your User Pools in Amazon Cognito

Topics

AWS Mobile Services and Amazon Cognito Introduction to Your User Pools Summary of Features Demo Deeper Dive in a Few Areas Getting Started Q & A

The Best Mobile Apps Run on AWS

AWS Mobile Services Eliminate the Heavy Lifting

When developing mobile apps today, you want to focus on ...

The great stuff that makes your app unique

Not…

The heavy lifting needed to manage backend infrastructure

AWS Mobile SDKs

AWS Mobile Hub

Authenticate users

Analyze User Behavior

Store and share media

Synchronize data

Deliver media

Amazon Cognito (Sync)

Amazon Cognito(Identity) Amazon S3

Amazon CloudFront

Store dataAmazon DynamoDBAmazon RDS

Track RetentionAmazon Mobile Analytics

Send push notificationsAmazon SNS Mobile Push

Server-side logicLambda

Device Farm

Test your app

Amazon Mobile Analytics

Build and Scale Your Apps on AWS

AWS Mobile Hub: Fastest Way to Build Apps on AWS

Manage authenticated and guest users’

access to your AWS resources

Federated Identities

Synchronize user’s data across devices and

platforms via the cloud

Data Synchronization

Add sign-up and sign-in with a fully

managed user directory

Your User Pool

GuestYour ownauth

Amazon Cognito Identity Amazon Cognito Sync

Amazon Cognito Identity and Sync

k/v data

SAML

Sign in with Facebook

Or

Username

Password

Sign In

Or

Start as a guest

Authenticate via 3rd party Identity Providers

Amazon Cognito Identity and User Experience

Guest Access

Your User Pool in Amazon Cognito

Amazon Cognito Identity provides temporary credentials to securely access your resources

DynamoDB

S3

API Gateway

A Fully Managed User Directory in Cognito

Add sign-up and sign-in easily to your mobile and

web apps

Easy User Management

Verify phone numbers and email addresses and offer multi-factor authentication

Enhanced Security Features

Launch a simple, secure, low-cost, and fully managed

service to create and maintain a user directory

that scales to 100s of millions of users

Managed User Directory

Comprehensive User Scenarios

Email or phone number Verification

Forgot Password

User sign-up and sign-in

Users verify their email address or phone number prior to activating an account

Users can change their password if they forget it

Users sign-up using email, phone number or user name and password.Users can then sign-in.

User Profile Retrieve and update user profiles, including custom attributes

SMS-based MFA If enabled, users complete Multi-Factor Authentication (MFA) with a confirmation code via SMS as part of sign-in and forgot password flows

Comprehensive Administrator Scenarios

Manage users in a User Pool

Select Email and Phone Verification

Customize with Lambda Triggers

Setup Password Policies

Create and manageUser Pools

List, search and perform actions on specific user(s) in the User Pool

Configure verifications of users’ email addresses and phone numbers (via SMS)

Create functions in AWS Lambda to customize workflows

Control password requirements like minimum length, uppercase, and inclusion of special characters

Create, configure and delete multiple User Pools in their AWS account

Define Attributes Select required attributes and Define custom user attributes

Secure Sign-in Made Easy

Token-based Authentication

Secure Remote Password Protocol

SMS-based Multi-factor Authentication

Uses tokens based on OpenID Connect (OIDC) and OAuth 2.0 standards

Uses Secure Remote Password (SRP) for secure password handling end to end

Enables your end users to user the text messaging functionality of a mobile phone as an extra layer of security

Customization using Lambda hooks

Lambda Hook Example Scenarios

Pre user sign-up Custom validation to accept or deny the sign-up request

Custom message Advanced customization and localization of verification messages

Pre user sign-in Custom validation to accept or deny the sign-in request

Post user sign-in Event logging for custom analytics

Post user confirmation Custom welcome messages or event logging for custom analytics

Cognito User and Federated Identities

Cognito User Identities(Your User Pool)

User

Sign-in1Returns Accessand ID Tokens

2

Cognito Federated Identities(Identity Pool)

Get AWS scoped credentials

3

Accessto AWS Services

4

DynamoDBS3 API Gateway

Demo

Understanding User Status

New users start with “Registered” status

Users must be confirmed before they can sign-in

Users must be disabled before they can be deleted

Registered(cannot sign in)

Sign-up

Confirmed

Disabled

Verify email Verify phoneor

Disable

Delete

(deleted)

Lambda Trigger:Pre Sign-up

Verifying Email and Phone

Your User Pools provide built-in verification of email addresses and phone numbers

A six digit code is sent as an email message or SMS text and is submitted via the VerifyUserAttribute API

If both a phone number and email address are provided at sign-up, a verification code will only be sent to the phone

Your app can call GetUser to see if an email address or phone number is awaiting verification, and then call GetUserAttributeVerificationCode to initiate the verification

Your verification code is 938764

Using Aliases in Amazon Cognito User Pools

Sign-up and sign-in with email is very common today

Aliases in Amazon Cognito support use of email, phone or preferred user name in place of the user name

A username value must be provided at sign-up, but it could be generated by the app and not exposed to the end user

Phone numbers and email addresses must be unique and must be verified before they can be used to sign-in

My App

Email

Password

Sign In

Sign Up

Getting Started with Your User Pools

See aws.amazon.com/cognito/dev-resources/ for links to

SDKs for iOS, Android, and JavaScript Sample apps for iOS and Android

AWS Mobile Blog article describes them Developer Guide API Reference Guide

Thank You!

Visit aws.amazon.com/cognito/ to learn more

Q & A

Visit aws.amazon.com/cognito/ to learn more

Appendix

AWS Resources

Authentication – Supported Providers:

Authorization / Permission

Cognito User and Federated Identities

Social Identity Providers Developer Provided

Enterprise Identity Provider

via SAML(coming)

Authenticate users and generate identity

tokens

Validates identity tokens and provides credentials to access

AWS resources

Cognito Identity

Cognito Identity

Pricing

Pricing is based on Monthly Active Users (MAUs) with volume-based discounting A user is counted as a MAU if there is an identity operation related to that user within a

calendar month (e.g., sign-up, sign-in, token refresh, or password change) No charge for subsequent sessions or for inactive users

SMS charges are billed separately (using the SNS Global SMS feature)

Pricing Tier Price per 1K MAUsFirst 50,000 MAUs FreeNext 50,000 MAUs $5.50

Next 900,000 MAUs $4.60Next 9,000,000 MAUs $3.25

>10,000,000 MAUs $2.50

Amazon Cognito Sync

User Data Storage andSync

Any Platform

iOS/Android/FireOS

Store app data, preferences, and stateSave app and device data to the cloud and merge them after login

Cross-device / Cross-OS Sync Sync user data and preferences across devices with a few lines of code

Work offlineData always stored in local SQLite DB firstWorks seamlessly with intermittent or no connectivity

k/v data

Identity pool

No back endSimple client SDK eliminates need for server side code

© 2015 Amazon Web Services, Inc. and its affiliates. All rights reserved.

Push Sync Sync between devices in near real-time

using push instead of polling Fewer syncs = cost savings Powered by SNS Push changes from your backend

Cognito Streams Enables deeper analysis of data Receive a stream of any updates to a dataset for each identity in

your identity pool Publishes updates to Kinesis From Kinesis write to other destinations such as Redshift or

ElasticSearch

RedShift

ElasticSearch

KinesisCognito

Cognito Events Can be used to provide data validation (Cheating, Sanitization)

Can be used to inject data (Bonuses, Content)

Perform additional logic server side during a synchronize call

Full control over dataset contents

LambdaCognito