ag visuell - Fotolia
User authentication and authorization are critical components of virtually all software applications, so pick the right tool for the job.
Access has to be securely delivered through user-friendly and well-understood interactions: passwords, existing identity providers, single sign-on or secret keys. Traditionally, application owners have created user records to manage credentials and permissions. User access management is a time-consuming task -- and risky. If IT doesn't implement security best practices, these records create serious vulnerabilities.
Many cloud vendors developed tools to meet the need. One of the most popular tools for the job is Amazon Cognito. Although AWS' native user management service is appealing to many customers, others wonder if they could get more value out of third-party offerings. There are a few popular alternatives, such as Auth0, Okta and Google Firebase Authentication.
In this Amazon Cognito review, we'll go over its capabilities and cost, and compare the service to third-party offerings. Use the information to decide which tools best fit the needs of your applications.
Amazon Cognito capabilities and limitations
First, understand how Amazon Cognito works and its limitations. The main components of Amazon Cognito are user pools and identity pools. User pools are user repositories where application owners store and configure their app users' information. Identity pools enable you to create user identities that grant users access to other AWS cloud services.
User pools control different components of authentication and authorization, such as rules for usernames, password format, fields associated with a user, as well as options for login.
With user pools, developers can configure the messages, verification codes and links sent to new users. User pools also support multifactor authentication (MFA), with which you add a layer of security by requiring users to verify their identity through SMS messages to a mobile phone or a time-based one-time token.
Even though Cognito supports MFA configurations, it doesn't have a developer-friendly way to set up an end-to-end experience. For example, there isn't an easy way to configure an integration with external MFA tools through the Cognito console. AWS competitor Google has an app called Google Authenticator that implements two-step verification services. And Cognito also doesn't offer an MFA mobile app where end users can confirm their temporary access codes. Auth0 has the Auth0 Guardian MFA mobile app for user authentication.
Similar to other user management tools, Cognito enables developers to configure self-hosted custom registration pages that link to external identity providers, such as Facebook, Google or an external Security Assertion Markup Language (SAML) identity provider. However, when you compare Cognito versus Auth0 or Okta, the alternatives offer more features. For example, Auth0 can connect with 40 external identity providers.
The main pain point for developers on Cognito is that it lacks a practical way to build custom login pages. Cognito only offers a form where developers configure UI parameters such as dimensions, colors and CSS values, in a way that makes the end result difficult to visualize. This limitation has pushed developers to look for a more user-friendly experience that meets their application's needs.
Pricing, integrations give Cognito a leg up
While this Amazon Cognito review shows that the service lags behind other tools in some areas, it offers built-in integrations with multiple other products from AWS, such as API Gateway, Application Load Balancer and AppSync. This native compatibility makes Cognito likely a better option for applications that run on AWS.
Users who authenticate with Cognito can receive permissions to access resources in any AWS service. Developers use a single AWS SDK to implement functionality related to Cognito, together with any other AWS APIs.
Cost is an area where Cognito offers a significant advantage against Auth0 and Okta. Amazon Cognito pricing is based on the number of monthly active users, which is anyone who triggers an interaction with the service, such as registration, login, token refresh or password change.
Cognito offers a free tier of 50,000 monthly active users, which is enough for many AWS customers running fully operational SaaS products. Costs are based on active users above 50,000. An application with 100,000 active users would pay $275 per month, applying the free tier to the first 50,000. A million users would cost $4,415 per month. Pricing for users that authenticate through SAML or OpenID Connect federation is higher. Cognito adopters also pay more for other advanced features, such as auditing.
Auth0 and Okta have a similar pricing model based on monthly active users, but at a higher rate. Auth0 offers a free plan for 7,000 users. Beyond that, the tool has developer, developer pro, and enterprise rates. At Auth0's basic developer rate, 10,000 active users cost $228 per month and 50,000 tally $1,138 per month. Okta, another Cognito competitor, starts at a free product for 1,000 monthly active users, and has three pricing levels for the identity service. It costs $200 for 10,000 active users and $1,000 per month for 50,000 active users at Okta's base rate.
Firebase Authentication, on the other hand, charges $0.01 per user verification, which would turn into $100 per month for 10,000 users, assuming they have a single verification per month (highly unlikely). This pricing structure means user activity can turn the bill into a much higher monthly amount than expected.
In general, getting started with Amazon Cognito is not as easy compared to other options, but the product offers much better pricing and seamless integration with multiple AWS services. For AWS-based applications, Cognito is a better choice compared to other user management and authentication tools on the market. For applications hosted elsewhere, if price is not an issue, it's better to consider Auth0, Okta or another third-party offering.