AWS Security ChangesHomeSearch

AWS cognito documentation change

Service: cognito · 2025-03-10 · Documentation low

File: cognito/latest/developerguide/cognito-identity-provider_example_cognito-identity-provider_RespondToAuthChallenge_section.md

Summary

Added two new MFA challenge response examples (SELECT_MFA_TYPE and SOFTWARE_TOKEN_MFA) and updated existing NEW_PASSWORD_REQUIRED example with improved formatting and placeholder values

Security assessment

The changes document security-related MFA authentication flows but do not address a specific security vulnerability. The additions provide guidance on implementing security features (MFA challenges) rather than patching an issue.

Diff

diff --git a/cognito/latest/developerguide/cognito-identity-provider_example_cognito-identity-provider_RespondToAuthChallenge_section.md
index c9233ab4f..8c4ce4e58 100644
--- a/cognito/latest/developerguide/cognito-identity-provider_example_cognito-identity-provider_RespondToAuthChallenge_section.md
+++ b/cognito/latest/developerguide/cognito-identity-provider_example_cognito-identity-provider_RespondToAuthChallenge_section.md
@@ -22 +22 @@ CLI
-**To respond to an authorization challenge**
+**Example 1: To respond to a NEW_PASSWORD_REQUIRED challenge**
@@ -24 +24 @@ CLI
-This example responds to an authorization challenge initiated with initiate-auth. It is a response to the NEW_PASSWORD_REQUIRED challenge. It sets a password for user [email protected].
+The following `respond-to-auth-challenge` example responds to a NEW_PASSWORD_REQUIRED challenge that initiate-auth returned. It sets a password for the user `[email protected]`.
@@ -26 +25,0 @@ This example responds to an authorization challenge initiated with initiate-auth
-Command:
@@ -28,2 +27,5 @@ Command:
-    
-    aws cognito-idp respond-to-auth-challenge --client-id 3n4b5urk1ft4fl3mg5e62d9ado --challenge-name NEW_PASSWORD_REQUIRED --challenge-responses [email protected],NEW_PASSWORD="password" --session "SESSION_TOKEN"
+    aws cognito-idp respond-to-auth-challenge \
+        --client-id 1example23456789 \
+        --challenge-name NEW_PASSWORD_REQUIRED \
+        --challenge-responses [email protected],NEW_PASSWORD=[Password] \
+        --session AYABeEv5HklEXAMPLE
@@ -44 +46 @@ Output:
-              "DeviceKey": "us-west-2_fec070d2-fa88-424a-8ec8-b26d7198eb23",
+                "DeviceKey": "us-west-2_a1b2c3d4-5678-90ab-cdef-EXAMPLE11111",
@@ -49,0 +52,58 @@ Output:
+For more information, see [Authentication](https://docs.aws.amazon.com/cognito/latest/developerguide/authentication.html) in the _Amazon Cognito Developer Guide_.
+
+**Example 2: To respond to a SELECT_MFA_TYPE challenge**
+
+The following `respond-to-auth-challenge` example chooses TOTP MFA as the MFA option for the current user. The user was prompted to select an MFA type and will next be prompted to enter their MFA code.
+    
+    
+    aws cognito-idp respond-to-auth-challenge \
+        --client-id 1example23456789
+        --session AYABeEv5HklEXAMPLE
+        --challenge-name SELECT_MFA_TYPE
+        --challenge-responses USERNAME=testuser,ANSWER=SOFTWARE_TOKEN_MFA
+    
+
+Output:
+    
+    
+    {
+        "ChallengeName": "SOFTWARE_TOKEN_MFA",
+        "Session": "AYABeEv5HklEXAMPLE",
+        "ChallengeParameters": {
+            "FRIENDLY_DEVICE_NAME": "transparent"
+        }
+    }
+
+For more information, see [Adding MFA](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-mfa.html) in the _Amazon Cognito Developer Guide_.
+
+**Example 3: To respond to a SOFTWARE_TOKEN_MFA challenge**
+
+The following `respond-to-auth-challenge` example provides a TOTP MFA code and completes sign-in.
+    
+    
+    aws cognito-idp respond-to-auth-challenge \
+        --client-id 1example23456789 \
+        --session AYABeEv5HklEXAMPLE \
+        --challenge-name SOFTWARE_TOKEN_MFA \
+        --challenge-responses USERNAME=testuser,SOFTWARE_TOKEN_MFA_CODE=123456
+    
+
+Output:
+    
+    
+    {
+        "AuthenticationResult": {
+            "AccessToken": "eyJra456defEXAMPLE",
+            "ExpiresIn": 3600,
+            "TokenType": "Bearer",
+            "RefreshToken": "eyJra123abcEXAMPLE",
+            "IdToken": "eyJra789ghiEXAMPLE",
+            "NewDeviceMetadata": {
+                "DeviceKey": "us-west-2_a1b2c3d4-5678-90ab-cdef-EXAMPLE11111",
+                "DeviceGroupKey": "-v7w9UcY6"
+            }
+        }
+    }
+
+For more information, see [Adding MFA](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-mfa.html) in the _Amazon Cognito Developer Guide_.
+