Options for Mobile Platform Authentication

Embedding keys/secrets into unencrypted software (present system)

Explicitly not recommended Clunky way to distribute creds Control of access is limited to control of app distribution

Unauthenticated but able to suspend access

This was identified as a likely most value approach

(possibly with lambda additional functionality for device identifiers) Good for one time events but open to "anyone with an internet connection" Can revoke role after period of time (not sure about individual devices) May be useful just for "read only" data, e.g. message wall, reading states of lights Control of access is through Amazon infrastructure on bulk level

Encrypting keys/secrets into software with password

Does not require mobile authorization servers or including mobile SDK Should be done by requesting temporary creds with revokable cert/key Proof of concept http request:

wget --certificate=xxxxxxxxxx-certificate.pem.crt --private-key=x-private.xxxxxxxxxxxxpem.key --header="x-amzn-iot-thingname: <thing>" https://xxxxxxxxxx.credentials.iot.<region>.amazonaws.com/role-aliases/<something>Role-alias/credentials

Revokable cert/key allows cycling with new app releases

Build is complicated by needing to generate encoded string/file from non-repository resources Control of access is limited to control of simultaneous app and shared password distribution

Unauthenticated by Amazon with parallel Forge-run authorization server

Supports Oauth2, SAML, OpenID Connect Shared username/password account Can be cycled Control of access is through simultaneous Amazon infrastructure with locally controlled authorization server

Authorization by users through Amazon, Google, facebook, AD etc

Requires us to sign off on users individually (should explore allowing blanket authorization if there is an associated account) Extra steps for users to do auth on their own Control of access is through Amazon infrastructure on individual user-level