This article compares two authentication service providers: Auth0 and Amazon Cognito. Both of them are cloud-based identity management services.
Nowadays, many Software-as-a-Service (SaaS) companies often outsource their identity and access management needs to third parties. The question is how to figure out which works best for your specific business needs.
This is especially true for start-ups with limited resources and companies that are going to deliver software over the Internet. They must provide easy and secure access to their applications without being distracted from their core business.
For its part, many SaaS companies are already using the SSO platform to simplify the integration of their enterprise customers. They are actively growing and plan to expand their user base. So they want to find a replacement for their identity platform, whose services have become too expensive.
We will start with a brief overview of IAM and its tool SSO. Then look at the criteria you may use in choosing an SSO solution. Finally, we examine the competitive positions of the Auth0 and Amazon Cognito platforms in a comparative table.
What Is IAM Solution
Statista estimates that the global identity and access management market has reached $13.92 billion in revenue in 2021. Today organizations and users deal with multiple systems to carry out their daily business operations in a digital environment.
The number of credentials for each user is increasing, and it has become a real challenge not to forget or not to lose them. Security and privacy became another primary concern for service providers and SaaS platforms.
Identity and access management is the right solution that can resolve these risks. Every software product owner tends to use their own authentication mechanism.
Identity and access management (IAM) is a framework of policies and technologies to provide the verification of users' identity and to ensure the correct access level to technology resources in a company.
Employees, partners and customers are the target audience for implementing IAM in enterprises. In order to log into the company system and access digital resources, they might use different devices: routers, smartphones, computers, anytime they want.
IAM regulates several processes: authentication, which refers to identity management, authorization – access management, and administration of user accounts in software networks.
IAM Benefits for businesses
Getting identity right means making it easy for your consumers and workforce to connect to you digitally – which translates into making it easy to login, reset passwords, receive personalized digital content and maintain security and privacy. Ben Goodman.
When remote work becomes the norm and companies manage multiple applications and devices on a daily basis, adopting IAM solutions might be a time and money saving decision.
They help:
- to work in accordance with structural changes. Basically, they restrict access rights to applications;
- to assist in resolving cyberattacks and identity theft;
- to simplify the login process for users that increases sales in e-commerce;
- to increase workforce productivity. It solves the problem of forgotten passwords and restricted permissions.
IMA includes a great variety of tools connected to password management, consent management, risk rating, identity repositories and others.
Single sign-on (SSO) might be the first tool to secure your company and its users. Based on SSO, other IAM tools can be implemented. It is often mentioned with the deployment of multi-factor authentication (MFA), which requires two or more factors to prove a user's identity. They might be an email, telephone number or a secret question.
SSO as a tool of IAM
IAM infrastructures are often built based on SSO. It is a user authentication method that allows users to securely access multiple applications or services using a single set of credentials. After logging in, you can access all company-approved sites without having to log in again. Access through the SSO service may be applied to cloud-based and locally installed applications.
SSO is a key to ensuring convenience and security for Internet users. People still tend to reuse the same credentials to create new online accounts, which is a security risk. In other cases, they may forget them at all.
It is beneficial for employers to reduce the login time of employees, which increases productivity. It improves the comfort of employees, so instead of several passwords, they need a single access point to all their applications.
It saves money for the business. Over 50% of calls to the IT help desk deal with password resets. A single password reset request may cost businesses approximately $70.
SSO Protocols
SSO is built on a trust relationship between an application, known as the service provider (SP), and an identity provider (IdP). Identity data takes the form of tokens that contain identifying information about the user (a user’s email address or a username). The certificates are used to sign identity information sent from the identity provider to the service provider. In this way, the service provider knows that identity information is coming from a trusted source.
Several types of SSO according to the protocols they use:
Security Assertion Markup Language (SAML) is an open standard that allows identity providers to deliver authorization credentials to service providers.
Open Authorization (OAuth 2.0) is an open-standard authorization protocol. It transfers identification information between apps and encrypts it into machine code. It uses authorization tokens to prove an identity between consumers and service providers.
OpenID Connect (OICD) is a simple identity layer on top of the OAuth protocol. It allows service providers to verify the identity of the user based on the authentication performed by an authorization server. It enables a user to log in to a service using their Facebook or Google account, not entering user credentials.
Kerberos is a protocol that enables mutual authentication for both the user and server. It verifies the other’s identity on insecure network connections.
Types Of SSO
Three main variants of SSO: Web SSO (web access management) is a web authentication; it enables a user to provide his credentials. After a successful authentication process, establishes a relationship of trust that allows the user to access the permitted resources.
Legacy Web SSO (Enterprise SSO). It manages multiple logins to specific applications. The Legacy SSO extends the SSO functionality to the traditional legacy applications and network resources. Used in enterprise’s internal network.
Federated SSO refers to relationships maintained between organizations. It is based on Simple Object Access Protocol (SOAP) and Security Assertion Markup Language (SAML). Users once sign-on into a member of an affiliated group of organizations. And then they get access to all websites within that trusted federation.
Okta vs Auth0. United Forces
In May, 2021 Okta completed the acquisition of its biggest competitor, Auth0. The stock transaction was valued at $6.5 billion. As a result, Okta's coverage of the identity market reached $80 billion.
Identity is one of the most strategic investments an organization will make today. A single, unified identity platform has the power to transform an organization by providing seamless and secure access for both customers and employees, said CEO and Co-Founder of Okta McKinnon.
Okta has been a leading provider of identity and access management since 2009. Its software helps workforces to sign in to digital accounts. They sell authentication services to businesses and enable employees to use a “single sign-on”. Okta specializes in cloud-based identity. Organizations of all sizes were its priority. The company guarantees reliability and security for corporate clients.
Whereas Auth0 was created by developers for developers. The company was founded in 2013 as a log-in–tech startup. It provides services for those who want to build sign-in options for their own applications. Auth0 attracted techies who supported its products and had little bother about spending money on marketing. Application developers around the world have favored Auth0 for its extensibility, easy usage, and scope of documentation.
The collaboration between Auth0 and Okta makes it possible to get the best product for both use cases. Over 15,800 brands now trust the Okta platform to secure their digital interactions with employees and customers.
Resulted in the first quarter of 2022, Okta announced $415 million of total revenue. The increase year-over-year is 65%. Subscription revenue amounted to $398 million, 66% of the year-over-year increase.
Auth0 accounts for $66 million in total corporation revenue.
What is Auth0
Auth0 operates within Okta as an identity platform. It offers identity and authentication Software-as-a-Service (SaaS). Forrester Consulting reports that the Auth0 IAM software can generate a massive ROI of 548% with $11.7 million in benefits in less than six months.
Auth0 provides organizations with single sign-on, breached password detection, multi-factor authentication, and user identity management solutions for customers, business partners, and employees. It also provides opportunities for developers and security professionals.
Basically, Auth0 runs in their public cloud; however they also offer options to host it in a private cloud..
What Is Cognito
Cognito is a user identity service by Amazon Web Services (AWS). The service allows you to add the ability to register, authorize and control user access to mobile and Internet applications. Amazon Cognito scales to millions of users. Supports authorization with social identity providers (Apple, Facebook, Google, Amazon) as well as enterprise identity providers based on SAML 2.0 and OpenID Connect, OAuth 2.0.
It is clear that Cognito works great for AWS services. It only takes a few lines of code to register a user and get back tokens to log to a mobile or web app. The market share of Cognito in the IAM category was evaluated as 2,04%.
AWS offers the Cognito User Pool resource. It is used for serverless architecture and provides a cloud service where, through an API (or other services such as Amplify), users can be authenticated. Features: Manage Unique Identities, Work Offline, Store and Sync across Devices, MFA.
How To Choose SSO For SaaS Product: Criterias For Provider
Selecting an SSO provider, you should consider some criteria we have chosen for comparison. There is a range of capabilities to examine in a provider.
Auth0 vs AWS Cognito: Pricing
Both providers use monthly active users (MAU) as pricing fundamental value. It indicates the maximum number of users who have performed any auth operation at least once per month. Users’ identity operations include:
- Sign-up, sign-in, password change.
- Token refresh.
- Update of user account attributes.
Most businesses can reasonably predict this value. This allows you to make reliable estimates.
Estimates. Price estimation is available for both providers. Auth0 pricing allows you to choose between plan-based options, which can be different by a large margin depending on extra options besides MAU.
Cognito’s pricing model is primarily MAU based with few configuration options to consider, which makes it more predictable.
SSO Estimation limitations.
Auth0 allows you to estimate pricing for two plans which assume SSO. It is included in the features of the Professional plan, which is intended for teams and projects that need added security:
- B2C (business-to-consume) professional - up to 10000 MAUs.
- B2B (business-to-business) professional - till you are under 7000 MAU.
- Enterprise - as many as you need. Pricing considere Enterprise depends on your ability to negotiate and be assertive when dealing with sales.
Auth0 Enterprise was developed for production applications that need to scale. It includes a wide range of features: Custom Connection and User Ties; No Admin, Organization, or Rule limits; 99,99% SLA and Enterprise support, uptime guaranteed; Advanced Deployment options; Enterprise Adds-ons. But to launch it, you need personal contact with the sales department.
Auth0 plan calculator limits you to have up to 3 Identity provider connections. You should request your personal pricing offer for more and it might appear not obvious.
Cognito calculator allows for reliable predictions as opposed to Auth0, where unreliability magnifies as soon as you reach calculator limitations.
With Cognito, you can presume that pricing per user will drop as the number of users grows.
For the first 50 000 MAU using IdP connection you are charged $0.050 per user, while for the next 50 000 price drops to 0.035.
It is not that obvious if the price-per-user will drop for the Auth0 pricing model under the same circumstances.
Both platforms have a free plan:
- Auth0. Free up to 7000 MAU. Without any advanced features like role management, customized emails or log retention.
- Cognito. Free up to 50000 MAU for users who sign in directly to Cognito User Pools. Up to 50 MAUs for users federated through SAML 2.0 based identity providers.
Medium to long-term cost strategy.
For Auth0 pricing is defined by MAU and is static for chosen plans (at least within calculation parameters available).
For Cognito pricing might depend on service setup, which is probably not obvious and does presume to some degree you know what you are doing and what you are charged for. When “Advanced security features” are turned on, your pricing might increase significantly, but it still remains lower by a large margin compared to Auth0.
“Advanced security” provides similar behaviors you get from Auth0, one of those being monitoring and logging, which are essentials for enterprise systems of that kind and cannot be ignored by any stretch of the imagination.
Auth0 vs AWS Cognito: Compliance and Security
A data breach may cost millions, so it is crucial that companies trust their data to their vendors. Identity providers should show that they are serious about data security. They must meet security standards and ensure compliance certifications.
There are many certificates of compliance with leading organizations. See some of them:
- ISO (International Organization for Standardization) and IEC (International Electrotechnical Commission) form a worldwide standardization system. Its international standards contain requirements for the creation, implementation, maintenance and improvement of the information security management system.
- SOC 2 (System and Organization Controls) audit was created to define criteria for how external SaaS companies should manage their customer data. Getting this standart means an independent third party evaluates the product, infrastructure, and policies and ensures that the company complies with its requirements. It is necessary for clients of financial institutions, healthcare companies, and insurance companies.
- CSA STAR (Cloud Security Alliance Security, Trust, Assurance and Risk) certification ensures cloud service security capabilities.
- HIPAA (Health Insurance Portability and Accountability Act) makes organizations responsible for controlling access to customer and employee information.
- GDPR (General Data Protection Regulation) in Europe requires strict user access controls.
- PCI-DSS (Payment Card Industry Data Security Standard) matters if you are in finance or process card data.
Summary for Auth0 and Cognito: services compliance issue.
Both platforms have validated their compliance in the scope of specific compliance programs, including ISO/IEC of various types, SOC 2 and CSA STAR. SaaS companies and product owners should consider this as their clients might require compliance validation when integrating with their IdP.
Compliance with SOC 2 ensures that the auth platform prevents additional security risks for you and your customers as service consumers. If security risks might be considered a consequence of service integration within your system, those should be claimed in the documentation.
The advantage of using a compliant third-party service is to simplify your own compliance audit if your product is subject to certification.
And there is a crucial point to be taken into account. Although both services have the most standard certifications covering all levels of compliance, Auth0 is still in the lead in terms of implementation.
Note that Amazon Cognito has a problem with clients' libraries, which are far-off specifications. The point is that Cognito's default implementation means that tokens are stored in the browser's local storage or cookies. And this approach can no longer be considered safe and can become a severe obstacle when you pass the certification.
Anyways, security is always risk vs effort, and you might generally be ok with a Cognito solution unless your product needs a compliance audit.
Auth0 vs AWS Cognito: Documentation and Support
Support.
Being a multipurpose and multidomain platform, AWS does not provide dedicated Cognito support. You are getting a support level with regard to your general AWS support plan.
We would not recommend having a free AWS support plan for production environments as a medium to long-term strategy.
Auth0 support level depends on your plan and looks much more reliable compared to AWS. The reason is obvious: they are a single service platform and are more customer-oriented.
In general, you can expect better support from Auth0. Unless you are buying enterprise support from AWS, which assumes a dedicated support manager, but it is clearly expensive.
Documentation.
Both services provide reliable documentation with regards to SSO integration, including examples of integration with the most popular IdP providers.
Auth0 vs AWS Cognito: Enterprise IdP Flows
Many companies need to set up a portal so that users can navigate to the right app after signing in to the portal.
Generally, there are two options for how SSO can be initiated: by service-provider and identity-provider. Implementing identity provider-initiated single sign-on allows you to create a dashboard with a list of multiple enterprise applications that can be enabled for SSO.
Auth0 offers the product SSO Dashboard Extension. It meets enterprise scenario requests and allows the IdP users to log into your application just from the IdP application gallery. Users log in via this dashboard.
This is considered common practice. However, IdP-Initiated flows carry a security risk and are therefore not recommended. It opens the application to possible Login CSRF attacks. The recommendation is to use SP-Initiated flows whenever possible.
Auth0 clearly makes a claim about it in settings UI, while AWS would make reasonable claims in related documentation and will not provide you with any explicit options for configuring IdP login; however it is still supported.
Both platforms ensure you understand risks and raise concerns.
Auth0 vs AWS Cognito: Integration With Your Platform
You should examine if the auth platform supports integration with existing directory services and mobile/web applications.
Both platforms provide support for OIDC, SAML, and AD integration with IdPs with minor differences in configuration.
Both platforms support OAuth 2.0 authorization code flows, like “Implicit Grant” or PKCE (Proof Key for Code Exchange). The last one is recommended for both mobile desktop and web apps.
Note that due to security limitations, PKCE might be the only option for SPA (single-page applications).
Besides support, platforms provide libraries that will do most of the heavy-lifting for you when it comes to auth flow implementation.
Understanding and choosing proper auth flow is still your responsibility despite any given recommendations.
Auth0 vs AWS Cognito: Handling Recent Browser Security limitations
The United States and the European Union have concerns about personal data protection for their citizens.
They demand tech giants to solve the problem of online privacy. As an example, the GDPR was adopted in 2018. This is a special law on the data protection rights of European Union citizens. Based on it, site owners that collect user data must notify the user about this. If the user has not given consent, the collection of such data is prohibited.
Google plans to stop supporting third-party tracking cookies in Chrome over the next few years. Developers of other popular browsers will also block ad networks from using third-party cookies.
This will make a big difference in how web tracking works and how many websites generate revenue. Cookies are important for tracking in the advertising and publishing industry to display relevant advertisements.
Thus, recent developments in browser privacy technology and user privacy control (like ITP) influenced user experience (UX) and maintained user seamless access to resources. That means users need to reauthorize during a reasonable and configurable period to be able to operate within the platform. Of course, it caused disruption in UX.
The browser intention to limit access to third party cookies restricts the usage of the PKCE approach for refreshing “access token”.
To overcome those limitations, both compared platforms implement a “refresh token” approach which is a solution to the problem above. However, they differ in their ability to provide control over refresh token behavior.
Example: if you want a user session terminated after a certain period of inactivity, this is configurable in Auth0, while this must be implemented in Cognito.
Auth0 vs AWS Cognito: Monitoring and Logging
Logging is essential for SSO flows, and that is where Auth0 shines compared to Cognito. Despite “advanced security” enabling extra monitoring and logging for Cognito it is still far from what you get with Auth0 out of the box and requires extra efforts to achieve any sustainable results.
Auth0 vs AWS Cognito: Extensibility
It is important that the solution has the ability to connect to external systems for data sources, federation, etc. Most platforms offer a way to create custom extensions. These custom extensions can plug into the solution to deal with use cases that cannot be handled by built-in functionality.
AWS Cognito vs Auth0. Comparison For The Best SSO solution
Let's compare these two solutions for the software we were working on. This is FinTech software, so see the important criteria for them in the table below.
Pricing for product plans that support SSO.
| Plan name | Pricing for 5000 MAU | Pricing for 1000 MAU | Plan Features | |
|---|---|---|---|---|
| Auth0 B2C Professional | $1000 | $240 | Pro MFA; External databases; Admin Roles; 10 Actions, rules, hooks; Consolidated user stories; M2M Add-ons. | |
| Auth0 B2B Professional | $1500 | $800 | 3 Enterprise Connection; External databases; 10 Actions, rules, hooks; Admin Roles; 100 Orgs; M2M Add-ons. | |
| AWS Cognito | $74 | $14 | For users, who sign-in through SAML or OIDC federation, via enterprise identity providers. Next to 50 MAUs $0.015 per one. | |
| AWS Cognito with advanced security features enabled | $321 | $62 multiplier compliance | Provide risk-based adaptive authentication. Allows you to request additional verification via SMS or a time-based one-time password (TOTP), or block the login request. Protection against the usage of compromised credentials. It prompts users to change their passwords. |
To sum up, FinTech software is particularly demanding in terms of security, fastness and frictionless transactions. Therefore, they would prefer Cognito with advanced security features enabled or the B2B Professional plan with Auth0. So if we compare 5000 MAU, Cognito price will be $321 and Auth0 $1500. Thus, based on the price approach, AWS Cognito is preferable.
| Criterias | Auth0 | AWS Cognito |
|---|---|---|
| Security access solutions | B2C - Modern Customer Identity Management solution for business-to-customer organizations. For your customers. Via methods such as UN/PW or Social Connections. B2B - Identity Management for your Business Partners. Provide your customer enterprise identity integration, SSO across your products and adaptive authentication with MFA and Anomaly Detection. Via connections such as SAML, LDAP or AD. B2E Employee identity access management (Okta’s Workforce Identity solutions). | Amazon Cognito has two main components: user pools and identity pools. User pools are user directories that provide registration and login options for users of your application. Identity pools allow you to grant users access to other AWS services. |
| Pricing | The pricing model is confusing; it is a costly solution. Nevertheless, it includes a wide variety of identity management tools. | The price of this solution is competitive compared to other solutions on the market. |
| Compliance and security | Offer the most in regards to compliance. ISO27001, ISO27018, SOC 2 Type II, HIPAA BAA, Gold CSA STAR, PCI DSS, GDPR. Full compliance documentation. | Offer the most in regards to compliance. here is an issue with storage of tokens. ISO/IEC 27001:2013, 27017:2015, 27018:2019, 27701:2019, 22301:2019, 9001:2015, CSA STAR CCM v3.0.1, HIPAA, PCI DSS, SOC 1, 2, 3, ISMAP, FedRAMP, SGR, IRAP, C5, K-ISMS, MTCS, ENS, OSPAR, HITST CSF, FINMA, GSMA, PITuKri, CCCS, GDPR, FIPS 140-2, NIST 800-171. Full compliance documentation. |
| Documentation | Provide documentation of better quality with regard to SSO integration. It includes detailed documentation and clear code examples in popular programming languages. Offers several libraries with a large number of technologies. | Also, provide reliable documentation with regards to SSO integration including examples of integration with most popular IdP providers. But it is a little messy. |
| Monitoring and logging | You can monitor your implementation of Auth0, check the status of external identity provider services, and monitor your applications. Auth0 provides event logs that you can use for your business needs. | Supports two AWS services, so you can keep track of your organization and activities within it. |
| Support | Auth0 has better support included within its pricing plans. Provides user behavior analytics, profile dashboards, and authentication trends. | AWS support is service agnostic and must be purchased independently. Support is paid; you should be a premium customer of AWS. |
| Easy of integration | It is a marketplace for integrations with consent management, identity proofing, IT, social media, SMS, and customer success tools. Integrate with Google, GitHub, and Microsoft products. Uses an open API that can easily integrate with almost all third-party applications. Compatible with tools such as OIDC, LDAP, SAML and ADFS. Support OAuth 2.0 (“Implicit Grant” or PKCE). | Integrate with Google, Amazon, Twitter, Facebook, and SAML. Poor integration for non-AWS applications. Compatible with tools such as OIDC, SAML and ADFS. Support OAuth 2.0 (“Implicit Grant” or PKCE). |
| Data security | Secure credential storing in the Auth0 database or in-house enterprise repositories; single sign-on and MFA for secure data access. | UseMFA, SSL/TLS to communicate with AWS resources, use AWS encryption solutions, Amazon Macie. |
| Flexibility | Improved through the use of authentication pipelines. This is an important feature because it allows you to customize everything related to the authentication and authorization process. | Implemented by AWS Amplify. Gives developers the ability to customize the AWS backend and deployment options. |
| Protocol support | OAuth, OAuth 2, OIDC, SALM | OAuth 2, OIDC, SALM |
| Extensibility | JavaScript / NodeJS Custom code extensibility is presented in the customer dashboard in three ways: Auth0 Rules, Hooks, Extensions. | JavaScript / NodeJS |
| Handling recent browser security limitations | Auth0 provides a more solid and configurable approach to “refresh tokens” and related configuration with the minimum efforts possible. | It is more complicated and requires extra effort to set up. But you can still implement the “refresh tokens” approach with Cognito. Hard to find expiration times for tokens. |
| Enterprise IdP flows | Allow IdP-Initiated flows. Has clear settings to create SSO Dashboard Applications. | Does not support IdP-initiated SSO. |
Considering the above-listed criteria, AWS Cognito covers most of the necessary options for a FinTech product. Despite some disadvantages of this platform, the element of price might become a significant factor when choosing an identity platform.
Conclusion. AWS Cognito vs Auth0: Which Is The One
We compared two IAM software platforms, Amazon Cognito and Auth0, in terms of how they meet key security requirements. It would help if you made your own final decision based on your unique business needs.
Cognito is a great option for providing access to AWS services. It should definitely be recommended for users who are already AWS clients. It will provide built-in authentication with these services at the most competitive price. It is a good option for a business that plans to scale and serve a million MAUs as a B2C marketplace.
At the same time, it may not be the most suitable solution for a general authentication solution.
Auth0 is a good choice for small and mid-size businesses. It is a good option for companies that develop applications. It offers a variety of tools and built-in features, allowing the application team to get up and running quickly. Thus, their pricing model might be a confusing factor for most customers.
If you do not have many active users, Auth0 might be a good choice due to its built-in features and user support. It may be easier to start with products of this company. It is necessary to evaluate benefits and calculate the cost well.
However, both products have their unique pros. If you hesitate what solution is best for your project, contact Auth0 and the Amazon Cognito team to clarify pricing and ask for a product demo.