Refined Approach to User Management and Authentication
Background
We all live in a post-PC era, where the average person uses three devices and expects to access and have a consistent view of their data from each device. This introduces significant challenges related to the management of user identities, application settings and user state. Mobile apps have become ubiquitous and add a lot of efficiency to our daily lives and most, if not all, apps involve users and permissions. Therefore there must be a standardized mechanism for managing these users — allowing them to log in (authentication), giving them permission to do things (authorization), and restricting them from doing things (authorization). In addition most applications need a mechanism to register or sign-up users, change passwords, and recover forgotten credentials.
Enter Amazon Web Services (AWS). AWS recognized the opportunity in mobile backends as a service (MBaaS) and has gradually built a compelling portfolio of mobile services that includes remote compute (Lambda), push notifications (SNS), database and storage (DynamoDB and S3), API management (API Gateway), data streaming (Kinesis), Mobile Analytics, and end-user identity management (Amazon Cognito).
Amazon Cognito
Lest we forget, Identity and Access Management (IAM) is a necessary component of most applications, is implemented in a similar way across applications, and has traditionally been custom coded at the very beginning of the development process. Despite the difficulties involved in coding, testing, and maintaining IAM source code, authentication within SaaS applications has primarily been a custom coding exercise. However, there exists well matured technologies and techniques for securing cloud systems such as Amazon Cognito. As AWS states, “With Amazon Cognito, you can focus on creating great app experiences instead of worrying about building, securing, and scaling a solution to handle user management, authentication, and sync across devices.” Speaking from experience, at ISG we have eliminated thousands of lines of custom code and drastically reduced potential security vulnerabilities in many of our customer's applications by migrated them from homegrown IAM to Cognito.
Amazon Cognito saves and synchronizes end-user data, that enables an application developer to focus on writing code instead of building and managing the back-end infrastructure. This accelerates application development, reduces management costs, reduces security risks, and frees up precious engineering cycles to focus on more valuable application functionality. Cognito allows you to rapidly add registration and authentication to applications. It allows users to authenticate either through a fully managed user pool or through an external identity provider (IdP). It can also provide temporary security credentials to access AWS resources.
Amazon Cognito is compatible with external identity providers that support the Security Assertion Markup Language (SAML) or OpenID Connect standards like social identity providers such as Facebook, Twitter, and Amazon. Moreover, it also allows you to integrate your own identity provider. Cognito helps administrators create sign-up and sign-in functionality with Amazon Cognito Identity, which comes with additional security features, such as email or phone verification and multi-factor authentication. An admin can integrate AWS Lambda with Amazon Cognito Identity to add logic for customizable security features.
As with all AWS services, adopting Amazon Cognito as an Authentication provider ensures that the application gets the benefit of AWS' continuous improvement and feature set expansion. As an example, AWS is working on a set of integrations with biometric authentication devices and protocols. Eventually anyone using Cognito will be able to gain access to biometric authentication simply by changing the Cognito configuration instead of writing, testing, and maintaining hundreds or thousands of lines of source code.
User Pools
Amazon Cognito’s powerful features include Amazon Cognito User Pools, which provide a secure and scalable directory to store users and access control for AWS resources. Amazon User Pools provides an easy and secure way of user sign-up and sign-in functionality to mobile and web apps with a fully managed service that scales to support hundreds of millions of users. User Pool can be created by using the AWS Console, CLI commands, APIs or by using Cloud Formation Templates (CFT).
User pools are a fundamental component of any authentication system based on Amazon Cognito. It is also possible to connect a user pool with an external IdP to allow service users to register and log in via Facebook, Google, Amazon or any public IdP that supports OpenID.
Identity Pools
Amazon Cognito Identity Pools (federated identities) enable you to create unique identities for your users and federate them with identity providers. With a federated identity, you can obtain temporary, limited-privileged AWS credentials to securely access other AWS services such as Amazon DynamoDB, Amazon S3, and Amazon API Gateway. The main difference between User Pools and Identity Pools is in regard to who is being granted access to what services.
- User Pools — Granting access to an application (One exception is, it can also grant access to AWS Cognito Federated Identities).
- Identity Pools — Granting access to AWS services.
Of many advantages of deploying Amazon Cognito one of the most obvious ones is that before Cognito, quite commonly Identity management was custom coded, built on top of existing architectures, with usernames and passwords being encrypted and stored within the application database, which was to be managed and secured. With Cognito, AWS and independent 3rd parties validate and certify the solution thus removing this responsibility from the engineering team and SaaS provider. AWS completely manages the service and the APIs accessible by the public. Organizations concerned about the increasing frequency of identity-based cyberattacks should take a serious look at Cognito or other PaaS based Authentication services. PaaS Authentication Services are an asset and a smart consideration for application authentication and identity management that are almost always backed by a much larger and more experienced team at Google, Microsoft, or AWS.
Final Thoughts
Organizations like ISG regularly use Cognito to provide secure and scalable solutions for Identity and Access management within their customer's software applications. Using Cognito for user authentication along with services like AWS Amplify is a much faster, more robust, scalable, and secure solution to custom coding, testing, and maintaining the entire IAM service. Thus, a fully configurable, and out-of-the-box service such as AWS Cognito is a great way to implement a secure and scalable user authentication mechanism within your software product or service.