#708: Unlocking Amazon Cognito: Secure, Scalable, Customized Sign-In - AWS Podcast

Summary6 min read

AWS Podcast Episode #708: Unlocking Amazon Cognito: Secure, Scalable, Customized Sign-In

Release Date: February 17, 2025

Hosts: Simon Elisha and Hawn Nguyen-Loughren
Guests: Rahul Sharma (Principal Product Manager, AWS) and Kevin Shanley (Worldwide Lead for Identity, AWS)

Introduction to Amazon Cognito

In episode #708 of the AWS Podcast, hosts Simon Elisha and Hawn Nguyen-Loughren delve into the intricacies of Amazon Cognito, a pivotal service for developers and IT professionals focused on building secure, scalable authentication systems. Joining Simon are two AWS experts, Rahul Sharma and Kevin Shanley, who provide deep insights into Cognito's capabilities and recent enhancements.

Simon Elisha opens the discussion by emphasizing the critical importance of security in application development:

“Security is so important, but my goodness, it's hard to build it properly.” (02:00)

Rahul Sharma succinctly defines Amazon Cognito:

“Cognito is an AWS service that helps developers build secure, scalable and customized sign up and sign in experiences swiftly for their applications.” (01:05)

Enhancements in Amazon Cognito

Improved Time to Market and Agility

One of the standout themes discussed is Cognito's evolution to enhance time-to-market and agility for developers. Rahul highlights the introduction of Cognito Managed Login, an advancement of Cognito's hosted UI, which offers extensive customization without the need for extensive coding:

“We have a no code UI editor with different form and elements like font logos, backgrounds, different alignments...” (05:54)

This feature enables developers and UX designers to tailor the sign-up and sign-in pages to align with their branding effortlessly.

Localization and Personalization

Responding to global customer needs, Cognito now supports over ten managed languages out of the box, facilitating a more personalized and localized user experience:

“Cognito's managed login with over 10 managed languages supported out of the box.” (05:54)

Enhanced Security Features

Passwordless Authentication

Moving beyond traditional password-based systems, Cognito now supports passwordless logins using passkeys, email, and SMS, significantly reducing the risk associated with compromised passwords:

“We now allow for passwordless login with passkeys, email and SMS as first factor.” (07:00)

Kevin Shanley elaborates on the importance of this shift:

“People are not great at creating secure passwords... This move to passwordless... removes that entire vector.” (08:56)

Multi-Factor Authentication (MFA)

Cognito has expanded its MFA capabilities, now supporting SMS, time-based OTP, and email-based MFA. These options provide additional layers of security based on risk assessments:

“We also support multi factor authentication across different factors as well.” (09:59)

Threat Protection and Adaptive Authentication

A significant update is the introduction of Cognito Plus, a new feature tier that offers advanced threat protection at up to 60% lower costs. This includes:

Compromised Credentials Detection: Identifies and blocks the use of passwords that have been exposed.
Risk-Based Adaptive Authentication: Adjusts authentication requirements based on real-time risk assessments, such as detecting impossible travel scenarios.

Kevin Shanley explains:

“Adaptive authentication allows us to pick up changes in risk and step up authentication to a higher level.” (12:31)

Multi-Tenancy and Scalability

Cognito is designed to support multi-tenant SaaS applications with five layers of tenant isolation. This flexibility ensures that applications can scale securely, whether serving small startups or large enterprises:

“We have five different layers of multi tenancy built into Cognito...” (15:49)

This multi-tenancy support is crucial for SaaS providers needing to enforce tenant isolation or share policies across numerous customers.

Migration Strategies

For developers with existing authentication systems, Cognito offers seamless migration options:

Just-in-Time Migration: Gradually migrates users as they log in, minimizing disruption.
Bulk User Upload: Allows for the bulk transfer of inactive users, though it may require users to reset their passwords.

Rahul Sharma outlines these strategies:

“Just in time migration translates to porting users as they log in, and then doing a bulk upload for inactive users.” (24:00)

Kevin Shanley adds that adopting passwordless authentication can simplify migration by removing the need to handle proprietary password hashing methods:

“If you no longer need to migrate these passwords and everything's in just a phone number and email address, suddenly that migration is kind of almost instantaneous.” (25:54)

Customization and Extensibility

Cognito offers extensive customization through APIs, SDKs, and Lambda triggers, enabling developers to create bespoke authentication flows. Whether integrating third-party systems or implementing unique verification steps, Cognito's flexibility ensures that diverse requirements can be met.

Kevin Shanley highlights:

“Within Cognito, there are a variety of ways of doing custom, different customizations... You can create entirely custom authentication flows based on those components.” (17:23)

Moreover, the integration with AWS Step Functions allows for complex orchestration of authentication processes:

“Login and registration extensions... allow you to use AWS step functions to create a full orchestration layer.” (18:34)

Enhanced Reporting and Insights

Understanding user behavior and security incidents is critical. Cognito now supports Event Log Streaming, enabling detailed insights into authentication events by streaming logs to services like Kinesis Firehose or S3:

“With log streaming, you're able to take our events and actually stream them out to Kinesis Firehose or even just to an S3 bucket.” (19:31)

This feature empowers developers to analyze login patterns, detect anomalies, and correlate authentication data with other application metrics for comprehensive security monitoring.

Accessing New Features

Existing Cognito users can effortlessly transition to the latest features by upgrading their feature tiers. The new Cognito Essentials and Cognito Plus tiers encapsulate the updated capabilities, available through both the AWS Management Console and programmatically via the AWS CLI or CloudFormation.

Rahul Sharma explains:

“You only need to change your user pool settings or like the feature tier that you need to select. All the new features... are part of a new Cognito feature tier called Cognito Essentials...” (26:15)

This in-place upgrade ensures that applications can benefit from the latest security enhancements and user experience improvements without significant redevelopment efforts.

Practical Use Cases

Creating a New Application:

For developers starting from scratch, Cognito simplifies the setup process:

“When you go to create your first user pool... you click next and you're literally off to the races... you have a login page, you've got registration capabilities, it's all actually right there.” (22:01)

Migrating an Existing Application:

For applications with existing authentication systems, Cognito provides flexible migration paths:

“Just in time migration translates to porting users as they log in... and then doing a bulk upload for inactive users.” (23:56)

This dual approach ensures a smooth transition with minimal impact on end-user experience.

Future Directions and Customer Feedback

Looking ahead, the Cognito team remains focused on enhancing security measures and reducing friction for both developers and end-users. Continuous feedback loops with customers highlight the ongoing need for robust, adaptable authentication solutions amidst evolving threat landscapes.

Kevin Shanley concludes:

“Everyone is really very concerned about levels of attacks and fraud and protecting your customer data.” (21:37)

Conclusion

Amazon Cognito continues to evolve as a comprehensive solution for secure, scalable, and customizable user authentication. With significant enhancements in user experience, advanced security features, and seamless migration options, Cognito empowers developers to prioritize their application's core functionality without compromising on security. Whether building new applications or upgrading existing systems, Cognito offers robust tools to meet diverse authentication needs.

Simon Elisha wraps up the episode by encouraging listeners to explore Cognito's latest features:

“If you haven't looked at Cognito for a while, you should... this is definitely something worth having a look at.” (28:07)

Key Takeaways:

Amazon Cognito streamlines the creation of secure, scalable authentication systems.
Cognito Managed Login and passwordless authentication significantly enhance user experience.
Cognito Plus offers advanced threat protection at reduced costs.
Multi-tenancy support caters to a wide range of application scales and business models.
Event Log Streaming provides deep insights into authentication events for improved security monitoring.
Flexible migration options facilitate the transition from existing authentication systems with minimal disruption.
Customization capabilities through APIs, SDKs, and Lambda triggers allow for tailored authentication flows.

For developers and IT professionals seeking to bolster their application's security while maintaining agility and user satisfaction, Amazon Cognito presents a robust and versatile solution.

Loading summary

Transcript47 lines

[00:00]
Simon
This is episode 708 of the AWS podcast released on February 17, 2025. Hello everyone and welcome back to the AWS Podcast. Simon here with you. Great to have you back. And we are talking security today. And so I have two very special guests. Firstly, I have Rahul Sharma, who's a principal Product Manager here at aws. G'day, Rahul, how are you going?
[00:24]
Rahul Sharma
Hey Simon, nice to see you. Nice to meet you.
[00:27]
Simon
Good to have you here. And also joined by Kevin Shanley, who is the worldwide lead for Identity. G'day Kevin, how you going?
[00:35]
Kevin Shanley
Hey, g'day. Try my Australia.
[00:39]
Simon
Picking up the vernacular already. So we're talking about a topic that is super important. In fact, it's job zero. It's the first priority. It is security. And there's lots of ways to achieve security, but security needs to be baked in. And, and one of the things we're going to talk about that helps you do that more easily is something called Amazon Cognito. Rahul, give us the elevator pitch. What is Amazon Cognito and why would I use it?
[01:05]
Rahul Sharma
Yeah, absolutely. So the simplest way I would describe is you can think about. Cognito is an AWS service that like, helps developers build like secure, scalable and customized sign up and sign in experiences swiftly for their applications. What we consistently hear from developers across our customer base is that building a robust authentication system is hard. You have to handle user management, user data store, attribute storage, secure sign up, sign in flows, and then also protect against any malicious traffic that is coming and attacking your web interface. So this what we consistently hear is like, it takes a lot, it's very time consuming to build your own authentication platform requiring substantial amount of heavy lift if you build it from scratch. And this is where Amazon Cognito comes in as a managed service to really help address these challenges so that developers can focus on building the business logic for their application features rather than implementing authentication systems from scratch.
[02:12]
Simon
And it's interesting, we already touched on our old friend undifferentiated heavy lifting. So for those of you playing the drinking game at home, you're welcome. And what it is really is that security is so important, but my goodness, it's hard to build it properly. And so if you're under pressure to build features and functions for the business, you're not going to get huge amounts of time to develop a beautiful end to end security flow that caters for a bunch of edge cases and it's the edge cases that gets you. Now this is something that also gives you, it's it's you can put your own branding on has the built in login screens and like there's a whole lot of stuff you don't have to build here, isn't it? This is kind of one of those ones you can take and plug in.
[02:57]
Kevin Shanley
Absolutely. And we really wanted to get started with that developer getting started experience. And it begins with well we actually had a hard look at what we did with Cognito a year ago and we brought in some external principal developers and said hey, you know what, what are we doing right? What are we doing wrong? How do streamline this experience? How do we turn it from you know, a several, several hours, several days or even weeks proposition into minutes and Absolutely, you know, so we've completely streamlined that experience and within just a couple clicks you're up and running with a new multi tenant user directory user pool and up and running with your first app.
[03:41]
Simon
So let's unpack that a little bit because certainly the last time I jumped into the Canedo console it had completely changed from the time before I'd done it. Even though it was my same user pool, et cetera, as I use it for one of my projects and I had set it up a long time ago. Wow, this is all really different. Obviously a lot of thought's gone into it. So let's talk about from a customer standpoint, what are the things that make it easy for me now? What are the things that have changed that maybe you know, if I looked at Cognito two years ago that I'm going to be like, oh wow, it does this now.
[04:16]
Rahul Sharma
Yeah, absolutely. So I think we launched like a series of like innovations just prior to re invent for Cognito touching upon different themes. So maybe what I can help here Simon, is for every listener listening and just categorize them into like say key value proposition that we targeted and then talk about what's new and how has Cognito evolved since then. So theme number one for us was really improving time to market and agility for customers to integrate with Cognito and really get their application up and running without having to deal with like building sign up sign in from Skype. So the first thing that we announced in this category or theme was what we call Cognito Managed Login. This is essentially like an evolution of Cognito's hosted UI and it's really a set of new customization capability that helps customers create more personalized signup and login experiences that align more closely with a company or application Branding as part of this release we launched, we have like a no code UI editor with different form and elements like font logos, backgrounds, different alignments which can allow you like more flexibility when you're setting up your like sign up and sign in pages. But in addition to that, one other consistent feedback that we heard from customers in different geographies of ours was more localization support. So as part of this release we launched like Cognito's managed login with like over 10 managed languages supported out of the box. So now that allows our customers more personalization through like languages that they have their end users logging in.
[05:55]
Simon
So that means, does that mean as a developer and I guess even as a UX person I can sit there and just map out what I want that login experience to look like and then it will just work that way?
[06:08]
Rahul Sharma
Absolutely, absolutely. Like you can essentially let your imaginations run as wild as you want, but also while making sure while as you iterate and define what your signup page would look like. Because what we hear from our customers is sign up and sign in pages are the first pages that end users interact with for customers application. This is the place where most of the drop offs happen in terms of user funnel. So making sure it's as intuitive is critical for like success of different customer applications. And with managed login you now have like more customizability like supported out of the box. So this was like one of the key like launch one of the key launches to help really reduce the time to market for customers. Kevin touched upon also like improved developer experience which is now you can actually create your user pool just in a few minutes. All you need is provide the type of application that you're building, be it like a traditional web app, mobile app, et cetera. And then Cognito behind the scene has like smart defaults that'll help you get started. All you need to do is define your type of application you have, define the set of minimum like user attributes needed to sign up and there you go, you create a user pool and you're ready to go. So that was another.
[07:28]
Simon
That's a really nice sort of speed enhancement to just get up and running.
[07:33]
Rahul Sharma
Absolutely. And it's actually very interesting. Simon, you call that out. Like as part of our launch announcement we had like a video that went out that talked about like creating a Cognito user pool in less time it takes to brew a cup of coffee. Highly encourage listeners to check that out and actually check out our console and get started with Cognito there. But in addition Simon, what I also wanted to call out is there are two other thematic areas that we rolled out like as part of this major cognito overhaul. First as I called out was improving time to market for customers. The second critical area was for us is providing more seamless and frictionless end user login experiences to enable like end users of customers application to log in more seamlessly and more securely as well. So now in addition to traditional username and password based authentication, we now allow for passwordless login with passkeys, email and SMS as first factor. So that was another. This is now supported out of the box. Customers don't have to build like custom authentication flows to enable this.
[08:46]
Simon
And this is becoming quite a common pattern design pattern now like as I'm noticing in services I use is often like there's non apart password like you just give your email address and away you go.
[08:57]
Kevin Shanley
Absolutely. And if we've seen anything it's that people are not great at creating secure passwords. Time and again we see that even if someone does create a really secure password, it's often something they're repeating from site to site to site or with small variations add a number at the end and increment it from site to site or as your password's expiring. And so likewise one of a top vector for ingress into a customer site is via like these compromised password attacks where passwords are broken on the dark web and then a mass bot attack occurs on a site just trying to get lucky on user accounts. And so this move to passwordless, you know, we're you know, trying to remove that entire vector, get folks out of the business of trying to you know, remember things and just you know, send codes and passkeys.
[09:53]
Simon
And what about multi factor authentication? That's obviously another really strong mitigant that folks use these days.
[09:59]
Rahul Sharma
Absolutely. And this. So we also support multi factor authentication across different factors as well. Simon. So we have SMS and time based OTP as what we already supported from before. We also announced support for email based multi factor authentication sometime in third quarter of last year, around late second quarter, third quarter of last year. So this allows for like say more options for customers. And what's interesting is like this was a very good segue for second factor authentication because typically what we hear customers do is like when they detect any kind of suspicious traffic. Today Cognito's threat protection capabilities like provide you risk scoring and based on the risk scores that is ascribed customers have the option to configure either blocking that sign in attempt or actually optionally Stepping up and like having second factor authentication. And the other thing that we, and this is where I want to tie in with like what we launched as well announced is what we consistently heard from customers was that our threat protection capabilities have historically been more expensive. So what we have done through this announcement just prior to re invent was the launch of a new feature tier called Cognito plus, which essentially has all these threat protection capabilities Cognito offered from before, like compromise credentials detection that Kevin called out, risk based adaptive authentication, et cetera, at a price point which is up to 60% lower from a monthly bill savings standpoint. So basically, and in addition we also support passwordless login as well as this new managed login, all in this Cognito plus tier as well.
[11:45]
Simon
All of it. That's a great bit of, I'm sure that both of you, and Kevin in particular, as you're sort of talking to customers around the world, you're hearing what the problem is. And people don't want to have to be charged for security, they want to be able to get the best out of security. And I guess it's interesting you talked about the compromise and the pattern matching and those types of things. Let's talk a bit more about that because you know, if, if you take a naive view of security for an application like, well, you provide a password and you log in and you get on with your day. And so we don't, as developers, we don't spend a lot of time on that stuff, but there be dragons in that very phase there. Can you, can you unpack for us the types of things we're mitigating against and the types of attacks that folks are likely to see that this type of capability helps with?
[12:32]
Kevin Shanley
Absolutely. And you know, whenever we're talking in terms of a customer site, we also have to address the issue of friction. You know, the more times, the more sort of roadblocks we set up on a customer site, the more you're going to have drop off. Right. It'll be great from a security perspective to have everyone sign in with three factors of authentication and hardware tokens and everything your customers won't put up with. I ain't doing that. And so really we start there. And on the plus tier we do device profiling and we have a construct of adaptive authentication so that we can actually pick up, you know, how you've authenticated, how you're strongly authenticated and based on various different risk parameters, you know, going from your device changing to even like impossible travel conditions where I log in, in one city and then I log in five minutes later from another city that we're picking up, you know, changes in your risk and then adaptively deciding, hey, let's step up that authentication and go to a higher level with multi factor authentic. And so that's also included at that + tier as well. And so yeah, really just trying to continually push the bar to lower that friction, raise security.
[13:45]
Simon
I think that adaptability is really important too because if you think about it from I guess a provider perspective, so someone building an application for their customers, like you said, I want an easy experience, but they also don't want their customers being hacked. Also they don't have to carry the burden of if customers are being compromised and then they've got to start doing fixes and help and resets, et cetera. It's like the old thing, you know, probably, probably the most revolutionary thing that ever happened in it was the self service password reset. So you know, this is kind of that next level of saying, well you know, we can predictively protect you as a, as a user against the miscreants that are out there, which is I think really, really important. What else, what else have you been working on? What else have you been hearing to make it better, easier and more secure?
[14:35]
Kevin Shanley
Well certainly you hit upon one of those components with the self service password reset. You know, as much as we're seeing the industry at large move towards passwordless type mechanisms, everyone still uses passwords, they're still absolutely, you know, just about everywhere. And so how do we secure that? You know, okay, we can instruct customers, well, make it complex, make it a certain length, make it have some characters, some special characters in it, all these things are great. But if you've had a secure password that's been compromised at another site and is downloadable on the dark web, well that's a problem. And so we've actually have this massive compromised credentials database that every time you sign up, sign in, change your password, we're able to actually validate that you're not using a password that's already been broken. So kind of proactively and preemptively going about trying to secure those passwords that are out there.
[15:32]
Simon
And talk to us about, I guess, you know, you've got different scales of applications and application providers, you've got sort of the smaller players, you've got large ones, you've got SaaS providers, et cetera. Help us understand about, I guess, you know, multi tenancy tenant isolation, how does that play out in this construct?
[15:49]
Kevin Shanley
So you know, across Cognito, we really have four top level use cases. Core customer identity, access management, machine to machine authentication, using our credentials brokers to go in via user pools into AWS. And then a very important one is B2B multi tenant SaaS customers. And so Kanye was built from the ground up having a multi tenant user directory which we lovingly call user pools. And at creation we can go and create as many of these user pools as you see fit to cover all your tenancy operations. But it goes even beyond that. We actually have five different layers of multi tenancy built into Cognito, depending on if you want to kind of move the needle and change how much you want to segregate every customer tenant, enforce tenant isolation, or if you want to actually be able to do things like share policies, write a policy once and have 20,000 multi tenant customers be able to use that same policy. And so depending on what sort of your architecture is, or if you need to enforce things like tenant isolation, enforce against a noisy neighbor problem, to be able to really hit a whole lot of different use cases.
[17:05]
Simon
So you have, you have that choice. I guess the other thing I wanted to dive into is obviously we're talking about, you know, the fact that this is pre built, you can just use the flows, you can go on there. But what if I'm special? What if I need a custom flow or something different? How hard is that for me to do.
[17:23]
Kevin Shanley
So? Actually within Cognito there are a variety of ways of doing custom, different customizations. At its heart, Kuneedle is really just, it's a whole set of APIs that allows you to log in and yeah, we have a number of different SDKs we're built into the Amplify framework. We're like the authentication provider that actually backends Amplify. We have a cloud identity SDK as well, a whole set of SDK frameworks that allow you to run front end authentication also, as well as an admin SDK that allows you to do a lot of those same things from the backend side as well. So you can create entirely custom authentication flows based on those components. And then in addition, built into the core Cognito authentication framework, we have a series of login and registration extensions. These are sort of our sign up and sign in lambda extension hooks. And because they're lambdas, you can actually use those to even do AWS step functions and so create a full orchestration layer that will change or give you different options based on your authentication flow.
[18:34]
Simon
That's amazing. So with that particularly I Guess with that lambda, you know, flow and the triggers, et cetera, you can, you can do what you need because sometimes people have really esoteric or arcane requirements about how they do their, you know, checking. They may need to go to a third party system, an internal system, et cetera. So you can, you don't have to be just all cloud native.
[18:54]
Kevin Shanley
Yeah.
[18:54]
Rahul Sharma
And in addition to what Kevin also called out, what's also interesting is like while you build out your custom authentication flows like on top of like the APIs and SDKs we offer, like our threat protection capability also helps you detect risks with based on like custom authentication flows as well.
[19:13]
Simon
And I think that's really interesting that reporting side of things. Maybe let's unpack that a little more because this is not just a login system but it's giving insight into the customer experience and when customers log in and all this stuff, what sort of data do I pull from that that is useful for me?
[19:31]
Kevin Shanley
So one of the actually recent features we just launched is event log streaming with Amazon Cognito. And so what this gets you is previously of course we had our normal CloudTrail logs, CloudWatch logs and those capabilities. But what if you wanted to go kind of that step deeper and see, well, what's actually happening on the login events, what types of devices or locations is someone coming from and how do I actually correlate that data against all my application data, which is it's on different systems, it's across all sorts of different types of servers and systems, across aws. And so we actually, with log streaming you're able to take our events and actually stream them out to Kinesis Firehose or even just to an S3 bucket. So you can collate and correlate all these findings and then say, oh, here I see this user has logged in here and then he accessed applications across the framework and oh, something's changed over here. So then it gives you that really in depth insight into how someone is actually able to traverse their session.
[20:35]
Simon
That's really interesting. So you're getting far more detail of what's happening, which is I think really powerful in terms of just that user experience piece as well as obviously security, identifying trends and patterns and other things like that. What else do you think thematically we should keep an eye out for where's the focus from the team? What are they looking at? What are they hearing from customers? What are they thinking about in the coming months?
[21:01]
Kevin Shanley
Well, unfortunately I can't join your roadmap. I can't go into roadmap details. But in terms of signals that I'm hearing back from customers, everyone is really very concerned about how levels of attacks and fraud and protecting your customer data. This has been really regular feedback we hear from the industry at large and in various different types of scenarios, things you'd never really think of. And so yeah, it's certainly top in the mind of our customers that serve their customers.
[21:37]
Simon
Just make that easier, make that easier. So if I want to get started, let's say let's maybe take two use cases. Let's say I'm starting from scratch, I'm building a new app. How would I use Cognito? Or I've got an existing app using some form of authentication, could be homegrown, could be third party. How do I choose to use Cognito? Help it walk us through those two cases.
[22:02]
Kevin Shanley
Okay, so if you're writing your own app and let's say it's going to be a single page app on the React framework, well that's actually how we start as well. When you go to create your first user pool or multi tenant user directory before we used to actually ask you a whole slew of questions and you had to kind of figure a lot of things out yourself. Now we start with that, what type of app do you want to create? And based on that we will then intelligently with just a couple of questions, you know, ask you, hey, what are those required attributes we want to capture as a part of this user registration process is just email or do you want to catch mobile number or some of these different things. And then you click next and you're literally off to the races at this point you actually have then your multi tenant user pool built up and then it drops you into a screen where it has different code frameworks like React, maybe it's Python or some framework for like an iPhone or Android. And with the code pre built for you so that you can just do like an NPM install, you know, import a framework, it shows you the code to copy and paste into the framework so that you have single sign on into this new app that you're going to be developing and you're up and running, you've got a login page, you've got registration capabilities, it's all actually right there at that point.
[23:22]
Simon
That's pretty cool. So it's sort of like follow the bouncing ball to some extent and batteries included. So that's, that's the, that's the, you know, I've got a bright idea. I want to get my login Page up and running, which is good. You should start with that. Start with security. Don't end with security. But what about if I'm. I've got something a little long in the tooth. Maybe it's been around for a while. Maybe I rolled my own auth. Because that's what you did in those days or it was just cheaper or whatever. How do I think about converting or migrating?
[23:56]
Kevin Shanley
Okay, go ahead. Rule.
[23:59]
Rahul Sharma
Yeah, absolutely. And yeah, so you have various options here to like how if you want to migrate over and port over from your own authentication systems and actually move over to Cognito, we have something called like just in time migration, which is also like very popular that we have heard with customers. What it really translates is that if you have end users logging into your application, say one by one, all those new logins can essentially be ported over to Cognito user pools. And then at the end of all the active users logging in, you have the option to essentially do a bulk user upload for those users that are not active and then essentially migrate them over to Cognito. So we typically see this as a fairly popular model from a lot of our customers, like for migrating. Then the other option is doing like a one time like say bulk upload of all your users. The challenge with that is essentially you would essentially force your users to do a password reset which can be not the best customer experience or end user experience. We end up seeing a lot of our users or customers doing a combination of just in time and bulk up just in time for active users and then bulk upload for users that are not active.
[25:18]
Simon
That makes sense because I guess you're never going to coordinate everyone to do it at the same time. That's for sure.
[25:24]
Kevin Shanley
And I think what's really interesting there too is as you heard from Rahul, the long pole in the tent is actually going to be passwords. They could have some proprietary hashing or encryption. Just some way. You're never going to get that out of the source system. But where we see the game changing is passwordless. If you no longer need to migrate these passwords and everything's in just a phone number and email address, well, suddenly that migration is kind of. It's almost instantaneous. There's a lot you can do on that front.
[25:55]
Simon
That's pretty cool. And one other use case I want to talk about. So I mentioned that I've used Cognito for a long time, but I haven't touched it for a long time, which is good because I haven't needed to. But Also, so if I've created my Cognito user pool years ago now, do I get access to these new goodies or do I have to do anything to be able to take advantage of that?
[26:16]
Rahul Sharma
So it's you. So you only thing that you need to change, Simon, is you'll have to just change your user pool settings or like the feature tier that you need to select. So all the new features that we announced are part of a new Cognito feature tier called Cognito Essentials that basically encapsulates all the set of like core authentication capabilities to get you off the ground. And plus, which I touched upon a little earlier for users, essentially takes all our threat protection capability and adds all the features that are there in Essentials, which is passwordless login experiences new hosted UI in the form of managed login. The only thing that you need to do, it's very simple to actually switch to the new tiers and switch back and forth depending upon your use case requirements. You can do it either in just a few clicks on the console you can look at your on the left panel you'll have a settings page and you can like look and compare different features for different tiers and just decide to upgrade or downgrade to a different tier. Or you can do it programmatically using like our CLI by calling Update User Pool API and we now have a new parameter called User Pool Tier. You can configure your tier to be their Essentials or plus and take advantage of these new features or infrastructure as code is another popular way where a lot of our customers end up like say, deploying and managing their Cognito user pool. So for example, if you're using cloudformation, the Cognito User Pool resource type has a new parameter for User Pool Tier. You can set that configuration to Essentials or plus and essentially update your cloudformation deployment to have your user pool with these new tiers. Once you do that, you're entitled to all these new capabilities that were previously not available for customers.
[28:08]
Simon
Fantastic. Nothing better than an in place upgrade makes it much simpler. So it sounds like if you haven't looked at Cognito for a while, you should. And if you've got that sort of little lingering itch in the back of your head going not sure my login page is that good, or I'm not sure if I'm mitigating against all the things I could or should be, or I'm not providing my customers with a great login experience. This is definitely something worth having a look at. Rahul, thanks so much for coming on the show and explaining a bit more about it for us.
[28:44]
Rahul Sharma
Thank you. Thanks Simon, for having us.
[28:47]
Simon
And Kevin, thanks so much for for coming on board and demystifying some of the stuff that goes out there on the scary web.
[28:58]
Kevin Shanley
It was great to be here. Thank you, son.
[29:00]
Simon
And we do love to get your feedback. AWodcastmazon.com is the place to do it and until next time, keep on building.