Migrating 30k bank users to a new system presented many challenges: 1. The legacy system was a "black box" that stored usernames, hashed passwords, and customer data in an unstructured way, making migration difficult. 2. Early attempts worked for test users but failures occurred at scale due to unforeseen issues like an SMS quota being exceeded and validation rules not matching legacy data. 3. User experience problems arose from unclear language about migrating vs new accounts, and missing validation on legacy usernames. 4. Security issues emerged when engineers tried to help users with forgotten passwords, exposing data from the legacy system. The migration process required flexibility to address unexpected problems at both the

1. Migrating 30k bank
users - what can
possibly go wrong?
Anna Skawińska

2. Anna Skawińska
Node.js Team Manager,
Senior Node.js Developer @TSH
also: mom of 2, wife, self-taught musician,
constant learner and doer, dad joke professional

3. Agenda
The Masterplan
2
The Challenge
1
The Reality
3
Lessons learned
4

4. The Challenge

6. Greenfield app

7. Cognito User Pool
● email used as username
● email used as password recovery method
● phone number used as MFA method
● so: both required

8. Backend
Legacy app
● blackbox
● > 26 000 users
Migration of logins
logins
Greenfield app
banking data
● 3 months on prod
● for new customers only
● < 100 users
Cloud-native
backend

9. Legacy app

10. Two customers, one login

11. Two customers, one login
ID USERNAME PASSWORD
123456 AA_SMITH 0x49FE91D153D79C57FA3EC25E1BB762EE9527313E7F02060E281AA36F5B6AE4E2
423454 AA23456 0x49FE91D153D79C57FA3EC25E1BB762EE9527313E7F02060E281AA36F5B6AE4E2
423455 AB23456 0x49FE91D153D79C57FA3EC25E1BB762EE9527313E7F02060E281AA36F5B6AE4E2
LOGIN_ID FIRST_NAME LAST_NAME DATE_OF_BIRTH CUSTOMER_ID PHONE EMAIL
123456 Mrs Smith 01-01-1985 XXXXX null null
123456 Mr Smith 06-06-1980 YYYYY null null
Logins
Customers

13. The Masterplan

14. Extract logins to DynamoDB
username,
password,
date of birth,
old customer ID
Extract
Create
Join
DynamoDB

15. Denormalize Logins using dateOfBirth
USERNAME PASSWORD DATE_OF_BIRTH NEW_CUSTOMER_ID
AA_SMITH
0x49FE91D153D79C57FA3EC25E1BB762EE9527313E7F02060E281AA36F5B6AE4E2
01-01-1985 0010E00001IfPmYQAV
AA_SMITH
0x49FE91D153D79C57FA3EC25E1BB762EE9527313E7F02060E281AA36F5B6AE4E2
06-06-1980 0010E00001GgxM2QAJ

16. How to load it to Cognito?

17. ✅ transparent to the users
❌ email missing - mandatory in our Cognito (alias and recovery method)
❌ phone missing - mandatory in our Cognito (MFA method)
Bulk import?

18. Migrate User Lambda trigger?
SignIn:
username/
password
user doesn’t
exist?
external user
directory
import username/
password

19. Migrate User Lambda - code
exports.handler = (event, context, callback) => {
var user;
if ( event.triggerSource == "UserMigration_Authentication" ) {
// authenticate the user with your existing user directory service
user = authenticateUser(event.userName, event.request.password);
if ( user ) {
storeCustomerId(event.userName, user.customerId);
event.response.userAttributes = {
"email": event.request.validationData.email,
"phone_number": event.request.validationData.phone_number,
};
event.response.finalUserStatus = "CONFIRMED";
event.response.messageAction = "SUPPRESS";
context.succeed(event);
}
else {
// Return error to Amazon Cognito
callback("Bad password");
}
}
};

20. But: password policy
Legacy app:
#yolo xD
Cognito:
Policies:
PasswordPolicy:
MinimumLength: 12
RequireLowercase: true
RequireNumbers: true
RequireSymbols: true
RequireUppercase: true

21. But: password policy..?
🤔
󰣼
🙀
⁉

22. Password policy 2021 vs 2022

23. ✅ may be transparent to the user
✅ first sign in: custom authentication against pre-migrated logins
✅ ValidationData, ClientMetadata: user could add phone, email address…
❌ 2021: Password Policy applied on legacy passwords
✅ 2022: Password Policy no longer applied on legacy passwords!
Migrate User Lambda trigger?

24. The Masterplan

25. First SignUp…

26. …then check legacy login

27. SignUp: email,
password, phone…
ConfirmSignUp
(verify email)
InitiateAuth
GraphQL: migrateLegacyUser(
oldUsername, oldPassword,
dateOfBirth)
verifyLegacyLogin(
oldUsername, oldPassword,
dateOfBirth)
new UserId ⇒ new CustomerId
RespondToAuthChallenge
(MFA => verify phone)

28. How to do it securely?
● What if it leaks out?
● Oh, it’s just temp!
USERNAME PASSWORD DATE_OF_BIRTH NEW_CUSTOMER_ID
AA_SMITH
0x49FE91D153D79C57FA3EC25E1BB762EE9527313E7F02060E281AA36F5B6AE4E2
01-01-1985 0010E00001IfPmYQAV
AA_SMITH
0x49FE91D153D79C57FA3EC25E1BB762EE9527313E7F02060E281AA36F5B6AE4E2
06-06-1980 0010E00001GgxM2QAJ
superCoolHashingFunction!
PK NEW_CUSTOMER_ID
a883a161f49e38d70bc17e0915d2faf0da58aaef7352f2204fdc916969d36cc69f9d
374cf764e210687633001bd6ac25d2bcbaf695e0e6ebb20893fa1f5603ac 0010E00001GgxM2QAJ
● This Dynamo table stays for the verifyLegacyLogin Lambda

29. SuperCoolHashingFunction
async generateHash(username: string, passwordHash: string, dateOfBirth: string) {
// So that identical passwords have unique hash:
const salt = `${username}#${dateOfBirth}`;
const hash = await this.hashWithSalt(passwordHash, salt);
// So that a leaked hash table can't be reverse engineered:
const pepperedHash = await this.hashWithSalt(hash, this.options.passwordSalt);
return pepperedHash;
}

30. The Reality

31. ● check with test data:
○ generate fake credentials + date of birth, store in DDB, automate
○ worked (repeatedly) ✅
● check with a couple of “friendly” customers (knowing their passwords upfront)
○ worked ✅
So far, so good

32. Day 0

33. SMS Quota
● 7.5k people * $0.1189 / SMS ≈ $900
● quota at the time?
● $100…
● raised to $1000 right away
● enough for how long..?

34. UX failure #1: “Sign up” vs “Migrate”
● target group: 60+
● missed the “already have an account?” question
● solution: “sign in” is now on a different landing page than
“sign up”

35. UX failure #2 - no validation on username
● no prior idea of what usernames look like
● (black box)
● temp migration table only accessed by the Bank’s internal
employee

36. Security failure
● Customer: “password doesn’t work”
● …Engineers: added “reveal password” feature
● Customer: “password doesn’t work”
● CTO + Engineer on the line
● Customer, CTO, Engineer: “password doesn’t work”
● guessing game, reverse engineering legacy system…
● …
● …legacy system cropped long passwords
● solution: why not crop, too 🙈 (migration step only)

37. Lessons learned

38. Expect the unexpected
● UI changes on demand!

39. Expect a peak right after announcement
● expect a massive peak on the first day / week after the announced migration
● calculate the monthly quotas accordingly
● you can lower them after the first month

40. Lambda autoscaling worked like a charm
● there was no need for provisioned concurrency
● peak traffic gracefully handled

41. Migration Lambda Trigger - weak passwords work now!
● The Out-of-the-box AWS Cognito functionality would work now
● you can forget this presentation now 󰤆

42. tsh.io
Thank you for your attention.

43. Miłej środy!