AWS cognito documentation change
Summary
Updated section headings and added MFA compatibility details for passwordless authentication flows. Clarified passkey terminology and feature availability.
Security assessment
The changes document security-related constraints around MFA compatibility with passwordless flows but do not address a specific vulnerability. The updates enhance clarity about security feature interactions without evidence of patching a security issue.
Diff
diff --git a/cognito/latest/developerguide/amazon-cognito-user-pools-authentication-flow-methods.md b/cognito/latest/developerguide/amazon-cognito-user-pools-authentication-flow-methods.md index dbbc27fa7..3532d4cad 100644 --- a//cognito/latest/developerguide/amazon-cognito-user-pools-authentication-flow-methods.md +++ b//cognito/latest/developerguide/amazon-cognito-user-pools-authentication-flow-methods.md @@ -5 +5 @@ -Sign-in with third-party IdPsSign-in with persistent passwordsSign-in with persistent passwords and secure payloadPasswordless sign-in with one-time passwordsPasskey sign-inMFA after sign-inRefresh tokensCustom authenticationUser migration authentication flow +Third-party IdP sign-inPassword sign-inPassword sign-in with SRPOne-time password sign-inWebAuthn passkey sign-inMFA after sign-inRefresh tokensCustom authenticationUser migration authentication flow @@ -46 +46 @@ After you set up sign-in flows for a user, you can check their current status fo - * Passkey sign-in + * Passwordless sign-in with WebAuthn passkeys @@ -313 +313,3 @@ On a successful `PASSWORD_VERIFIER` challenge response, Amazon Cognito issues to -Passwords can be lost or stolen. You might want to verify only that your users have access to a verified email address, phone number, or authenticator app. The solution to this is _passwordless_ sign-in. Your application can prompt users to enter their username, email address, or phone number. Amazon Cognito then generates a one-time password (OTP), a code that they must confirm. A successful code completes authentication. This authentication flow isn't eligible for multi-factor authentication (MFA). +Passwords can be lost or stolen. You might want to verify only that your users have access to a verified email address, phone number, or authenticator app. The solution to this is _passwordless_ sign-in. Your application can prompt users to enter their username, email address, or phone number. Amazon Cognito then generates a one-time password (OTP), a code that they must confirm. A successful code completes authentication. + +Passwordless authentication flows aren't compatible with required multi-factor authentication (MFA) in your user pool. If MFA is optional in your user pool, users who have activated MFA can't sign in with a passwordless first factor. Users who don't have an MFA preference in an MFA-optional user pool can sign in with passwordless factors. For more information, see [Things to know about user pool MFA](./user-pool-settings-mfa.html#user-pool-settings-mfa-prerequisites). @@ -438 +440 @@ This would also be the next challenge response if you requested `EMAIL_OTP` as a -## Passkey sign-in +## Passwordless sign-in with WebAuthn passkeys @@ -443,0 +446,2 @@ You might want to replace passwords with the thumbprint, face, or security-key a +Passwordless authentication flows aren't compatible with required multi-factor authentication (MFA) in your user pool. If MFA is optional in your user pool, users who have activated MFA can't sign in with a passwordless first factor. Users who don't have an MFA preference in an MFA-optional user pool can sign in with passwordless factors. For more information, see [Things to know about user pool MFA](./user-pool-settings-mfa.html#user-pool-settings-mfa-prerequisites). + @@ -471 +475 @@ Passkeys are _discoverable_. They can be automatically recognized and used by a -Passkeys are an opt-in feature that's available in all [feature plans](./cognito-sign-in-feature-plans.html) other than **Lite**. It is only available in the [choice-based authentication flow](./authentication-flows-selection-sdk.html#authentication-flows-selection-choice). With [managed login](./authentication-flows-selection-managedlogin.html), Amazon Cognito handles the logic of passkey authentication. You can also use the [Amazon Cognito user pools API in AWS SDKs](./amazon-cognito-user-pools-authentication-flow-methods.html) to do passkey authentication in your application back end. +Passkeys are an opt-in feature that's available in all [feature plans](./cognito-sign-in-feature-plans.html) except for **Lite**. It is only available in the [choice-based authentication flow](./authentication-flows-selection-sdk.html#authentication-flows-selection-choice). With [managed login](./authentication-flows-selection-managedlogin.html), Amazon Cognito handles the logic of passkey authentication. You can also use the [Amazon Cognito user pools API in AWS SDKs](./amazon-cognito-user-pools-authentication-flow-methods.html) to do passkey authentication in your application back end.