Amazon Cognito – Secured service for user authentication authorization and management
If you are a user of AWS cloud ecosystem and developing a B2C app for your customers especially in prototyping or productizing stage, then Amazon Cognito is an identity management solution which you should explore. In this article we will discuss about what Amazon Cognito service offers, what are different components of Amazon Cognito, what are its common use cases, advantages, and limitations.
Amazon Cognito gives you the flexibility of signing in either by providing direct login credentials or through a third-party identity provider such as Facebook, Google, Amazon or Apple, LinkedIn etc. It not only provides an API but also the infrastructure for user management operations in web or mobile apps. As it is a managed service, it provides in-built sign in/ sign up screens and authentication functionalities which can be integrated easily with your application. Just like most apps use third-party payment gateways for managing financial transactions, AWS Cognito can be used in same way for user sign in/sign up/management in web and mobile apps. AWS cloud is HIPAA and PCI DSS, SOC, and ISO/IEC 27001, ISO/IEC 27017, ISO/IEC 27018, and ISO 9001 compliant which ensures security for your apps and users.
Main Components of Amazon Cognito –
Amazon Cognito has two main components- User pools and Identity pools. You can use these components separately or together.
- User pools – These are user directories which delivers sign-up and sign-in options for your user administration in your app. It enables users to either sign into your mobile or web application through Amazon Cognito or federate through a third-party identity provider. All overhead of handling tokens returned from third-party or federated IDPs is handled by user pools. The directory profile of each member of user pool is accessible via an SDK
- Identity Pools – These are used if your users need temporary access to other AWS services like Amazon S3 and DynamoDB etc or Guest logins for unauthenticated guest identities on your application. Anonymous guest users, as well as federation through third-party IdPs are supported by these. Identity pools map users to specific roles to authorize temporary access to AWS resources.
Common use cases for Amazon Cognito-
Use cases for user pool:
- Client-side applications need a default sign-up and sign-in page.
- Easy to deploy managed service is needed for typical user management features in an app.
- To build a custom authentication flow based on specific identity management requirements.
- To get insights from usage trends and reconstruct login request workflows based on user device, location, IP address for enhanced security.
Use cases for Identity pool:
- To provide temporary access to authenticated users on other AWS resources like Amazon S3, Amazon DynamoDB table etc.
- Default temporary access for unauthenticated users (guest user logins)
Advantages of Amazon Cognito-
Consistency in muti-device experience: For a multi-device application, Cognito eases the job of a developer as it is designed to manage muti-device authentication seamlessly. Users get the advantage of using same login on web, mobile and desktop version of application. Push synchronization helps applications to synchronize updates made in cloud storage in an efficient way without manually searching the stores every time.
Simple Integration: It is a straightforward process to setup your API to validate against a Cognito pool with API Gateway. As the validation happens before your API passes call to next function, it decreases the cost of validating sessions. This is a huge benefit for a prototype application or when you have a small team as that can focus on the development of core functionality of your business.
More secure passwords: AWS makes sure that your user database is protected, and passwords are securely stored. It is not possible for even you to get a password from Cognito. Password reset option is more secure than direct updates.
Guest Logins: Cognito can help you in setting up Guest Logins to your product. It is a good feature for SaaS companies for gives trials to users before making a purchase decision. Once the guest user is converted into a paying customer, the sync feature of Cognito comes handy to sync guest user data to an actual account without going through the complete sign-up process again.
Marketing Insights: Cognito helps you to analyse the user behaviour by integrating with AWS Pinpoint. You can utilize the intelligence derived from analytics to run targeted campaigns, keep your customers up to date on your product with newsletters and utilize multi-channel messaging (email, SMS, and push notifications) for greater reachability.
Limitations of Amazon Cognito–
Restrictions on customizable attributes: Once you select the user custom attributes on creation, you can edit its value but cannot delete or edit the custom attribute itself as defined in user pool. If initial application’s requirement was to use email id for sign-up and later on the developers want to use phone numbers instead, it does not allow to make the change.
Limited Search option in user pool: Your search operation is limited to simple things like the state and the email. Search functionality based on custom attributes or chain two attributes is not available.
No cross-region fallback option or backup by default: Amazon Cognito user pools store data only in the region they are created. In case you need to send data to a different region, you will need to develop some custom solutions like one mentioned here https://aws.amazon.com/solutions/implementations/cognito-user-profiles-export-reference-architecture/. If developers are using automated tools like Terraform, they need to make sure to enable deletion protection of AWS Cognito user pool as any changes like in name or defaults could trigger the deletion and re-creation of complete user pool without a backup.
Expensive advanced security features: Though Cognito offers some advanced security features like Login via an OTP to the phone, but they come at an extra cost which can be a concern for start-ups. It is directly proportional to number of users. So as user count on your app will increase the cost of advanced security features will also increase.
General Cost Estimation of Amazon Cognito:
AWS charges you for the Amazon Cognito service based on monthly active users (MAU) in your user pool. The good thing is that a user qualifies as MAU for a calendar month only if there is at least one identity-based operation from that user such as sign-in, sign-up, password reset, some user attribute update etc. There are no charges for subsequent sessions from same user or inactive users in a calendar month. The prices for federated users may vary from what is charged for users who use user pool credentials for authentication.
AWS charge Cognito sync operations separately based on number of sync operations performed and total amount of data saved in the Amazon Cognito sync store.
Under AWS free tier program there is a limit of 50k MAUs for users who sign in directly to Cognito user pools and 50 MAUs for federated users. This free tier is available indefinitely and does not expire at the end of 12 months like many other free tier credits. You can visit https://aws.amazon.com/cognito/pricing/ for more pricing related info.