© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Tim Hunt, Sr. Product Manager, Amazon Cognito

April 19, 2016

Announcements for Mobile Developers

Amazon Cognito Identity

Topics

• User identities in Amazon Cognito

• Example use case

• Key new features

• Demo

• Q&A

User identities in Amazon

Cognito

Manage authenticated

and guest users across

identity providers

Federated Identity

Management

Synchronize user’s data

across devices and

platforms via the cloud

Data Synchronization

Securely access AWS

services from mobile

devices and platforms

Secure AWS Access

GuestYour own auth

Amazon Cognito Identity Amazon Cognito Sync

Amazon Cognito Until Now

k/v data

Amazon Cognito Sync

User Data

Storage and

Sync

Any Platform

iOS/Android/FireOS

Store user data, preferences, and stateSave app and device data to the cloud and merge

them after login

Cross-device / Cross-OS Sync Sync user data and preferences across devices

with a few lines of code

Work offlineData always stored in local SQLite DB first

Works seamlessly with intermittent or no

connectivity

k/v data

Identity pool

No back endSimple client SDK eliminates need for server

side code

Amazon

API Gateway

Sign in with

Facebook

Or

Username

Password

Sign In

Or

Start as a guest

Amazon Cognito IdentityFederated Identities and Secure Access to AWS

Service for Apps

Authenticate via 3rd

party Identity Providers

Amazon Cognito Identity and User Experience Today

Guest Access

Authenticate via

Developer Provided

Authentication

Amazon Cognito

Identity provides

temporary credentials

to securely access

your resources

Amazon

DynamoDB

Amazon S3

Amazon Cognito IdentityFederated Identities and Secure Access to AWS

Service for Apps

Authenticate via 3rd

party Identity Providers

Most Developers Don’t Want to Build a User

Authentication System

Guest Access

Authenticate via

Developer Provided

Authentication

Sign in with

Facebook

Or

Username

Password

Sign In

Or

Start as a guest

Developers do not want to

take on the undifferentiated

heavy lifting to:

• Build and maintain a

directory

• Get security right

• Support workflows like

forgot password

• Scale as their user base

grows

Introducing Sign-Up and Sign-In with Your User

Pools

Add sign-up and sign-in

easily to your mobile and

web apps

Easy User Management

Verify phone numbers and

email addresses and offer

multi-factor authentication

Enhanced Security Features

Use our simple, secure, low-

cost, and fully managed

service to create and

maintain a user directory

that scales to 100s of

millions of users

Managed User Directory

Example Use Case:

Ramesh Adabala, Principal Architect

Asurion

Mobile Protection Sub Growth

Worldwide PresenceQuick Facts

• Founded in 1987

• 15,000 employees

• Serving more then 280 million consumers globally through our operations in 14 countries

• End-to-end (white label) solutions

• Experience supporting operator captives

Asurion is the world’s largest device support and protection company

Serving over 280 Million customers globally

United States• Headquarters• Care Centers• Technology & Logistics Center

CanadaCare & Logistics Centers

EuropeUK, Germany, France

Korea• Care Center• Logistics Center• Corporate Office

Japan• Care Center• Logistics Center• Corporate Office

Hong Kong• Asurion Asia

Headquarters• Technology and

Logistics

Australia:• New nationwide services

Africa:• Care Centre

China:• Nationwide service Two

operators

Russia• Care Center• Logistics Center• Corporate Office

Silicon ValleySoftware Services Dev Teams

1522

2532

4250

66

87

96100

107111

115

2000 2005 2011

Millions of

Mobile Protection

subscribers

Mexico CityAMX launch office

Premier support / protection apps

Asurion Use Case for Amazon Cognito

Asurion

Mobile

Apps

Asurion

Websites

Endpoints on

Amazon EC2

Asurion Private

CloudAmazon

CloudFront AWS Lambda

functions

Amazon

Cognito Identity

AWS Direct

Connect

V

Voltage

Key Servers

API Gateway

Backend AWS ServicesIAM

API calls

• 40 million identities for Asurion mobile applications

• 1 million authentication requests per day

• Need for a global and highly available B2C IAM service - North America, Europe, Asia

• Access Authorization through IAM roles and policies

• User provisioning based on the eligibility checks against On-Premises APIs

• User Identity and other sensitive data to be encrypted using Asurion hosted voltage keys and crypto library

AWS WAF

Amazon API

Gateway

Registration

Workflow

With an

Identity Pool ID

APIs for

Unauthenticated

Role

Asurion User Sign-UpEnd Users

App with AWS

Mobile SDK

User Registration

(Userid, pwd,

email, MDN)

Amazon Cognito AWS Lambda

Post

Confirmation

(confirmation email)

Customize

Message

(OTP Email)

Pre

Sign-Up

(Input Validations)Validation errors

Cognito

Workflow

Email with Registration

confirmation

Cognito

Store

Asurion Services

Voltage Crypto

Service

Asurion Customer

eligibility Service

Amazon API Gateway

Fix

Validation errors

Submit the OTP code

Ready to login

Email with OTP code

Asurion User Sign-In

User

Authentication

(userid, pwd)

Amazon Cognito

Lambda

Amazon API Gateway

User Authentication

With an Identity Pool

AWS Temporary

Credentials for Cognito

Authenticated Role

Elastic Beanstalk

Back-end Services

APIs for

Authenticated

Role

End Users

App with AWS

Mobile SDK

Request with

AWS Creds + API Key

Response

Build the API

Gateway client with

AWS credentials

Call the APIs using

the AWS credentials

SDK Supports

- AWS Creds caching

- Creds renewal

Why Asurion Selected Amazon Cognito

• Support for wide variety of Identity models

• Custom: Your User Pool, Developer Identities

• 3rd party: Amazon, Facebook, Google, Twitter etc.

• Extensible provisioning workflow steps with Lambda function support

• Adaptive authentication support using an OTP thru Email or SNS

• Out-of-Box support for identity functions such as:

• Sign-Up

• Forgot Password

• Change Password

• Use of IAM roles for fine grained user authorization

• Scalable service with global presence

• Good SDK support for all mobile and web platforms

Key New Features

Comprehensive User Scenarios

Email or phone number

verification

Forgot Password

User sign-up and sign-

in

Users verify their email address or phone number to confirm their account

Users can change their password if they forget it

Users sign up using email, phone number or user name and password.

Users can then sign in

User Profile Retrieve and update user profiles, including custom attributes

SMS-based MFAIf enabled, users complete Multi-Factor Authentication (MFA) with a confirmation

code via SMS as part of sign-in and forgot password flows

Comprehensive Administrator Scenarios

Manage users in a

User Pool

Select Email and

Phone Verification

Customize with AWS

Lambda Triggers

Set up Password

Policies

Create and manage

User Pools

List, search, and perform actions on specific user(s) in the User Pool

Configure verifications of users’ email addresses and phone numbers (via SMS)

Create functions in AWS Lambda to customize workflows

Control password requirements like minimum length, uppercase, and inclusion

of special characters

Create, configure and delete multiple User Pools in their AWS account

Define Attributes Select required attributes and define custom user attributes

Secure Sign-in Made Easy

Token-based

Authentication

Secure Remote

Password Protocol

SMS-based Multi-factor

Authentication

Uses tokens based on OpenID Connect (OIDC) and OAuth 2.0 standards

Uses Secure Remote Password (SRP) during sign-in for secure password

handling end to end

Enables your end users to use the text messaging functionality of a mobile

phone as an extra layer of security

Customization using AWS Lambda hooks

AWS Lambda Hook Example Scenarios

Pre user sign-upCustom validation to accept or deny the sign-

up request

Custom messageAdvanced customization and localization of

verification messages

Pre user sign-inCustom validation to accept or deny the sign-

in request

Post user sign-in Event logging for custom analytics

Post user confirmationCustom welcome messages or event logging

for custom analytics

Amazon Cognito User and Federated Identities

Amazon Cognito –

Your User Pool

User

Sign-in1

Returns Access

and ID Tokens2

Amazon Cognito -

Federated Identities(Identity Pool)

Get AWS scoped

credentials

3

Access

to AWS Services

4

Amazon

DynamoDB

Amazon

S3

Amazon

API Gateway

Demo

Resources Available Today

• SDKs for iOS, Android, and JavaScript

• Sample apps for iOS and Android

• AWS Mobile Blog article describes them

• Developer Guide

• API Reference Guide

Get Started…

…by visiting aws.amazon.com/cognito/

Thank You!

Q&A

© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Appendix