AWS Security ChangesHomeSearch

AWS cognito documentation change

Service: cognito · 2025-04-03 · Documentation low

File: cognito/latest/developerguide/amazon-cognito-user-pools-authentication-flow-methods.md

Summary

Updated section headings and added MFA compatibility details for passwordless authentication flows. Clarified passkey terminology and feature availability.

Security assessment

The changes document security-related constraints around MFA compatibility with passwordless flows but do not address a specific vulnerability. The updates enhance clarity about security feature interactions without evidence of patching a security issue.

Diff

diff --git a/cognito/latest/developerguide/amazon-cognito-user-pools-authentication-flow-methods.md b/cognito/latest/developerguide/amazon-cognito-user-pools-authentication-flow-methods.md
index dbbc27fa7..3532d4cad 100644
--- a//cognito/latest/developerguide/amazon-cognito-user-pools-authentication-flow-methods.md
+++ b//cognito/latest/developerguide/amazon-cognito-user-pools-authentication-flow-methods.md
@@ -5 +5 @@
-Sign-in with third-party IdPsSign-in with persistent passwordsSign-in with persistent passwords and secure payloadPasswordless sign-in with one-time passwordsPasskey sign-inMFA after sign-inRefresh tokensCustom authenticationUser migration authentication flow
+Third-party IdP sign-inPassword sign-inPassword sign-in with SRPOne-time password sign-inWebAuthn passkey sign-inMFA after sign-inRefresh tokensCustom authenticationUser migration authentication flow
@@ -46 +46 @@ After you set up sign-in flows for a user, you can check their current status fo
-  * Passkey sign-in
+  * Passwordless sign-in with WebAuthn passkeys
@@ -313 +313,3 @@ On a successful `PASSWORD_VERIFIER` challenge response, Amazon Cognito issues to
-Passwords can be lost or stolen. You might want to verify only that your users have access to a verified email address, phone number, or authenticator app. The solution to this is _passwordless_ sign-in. Your application can prompt users to enter their username, email address, or phone number. Amazon Cognito then generates a one-time password (OTP), a code that they must confirm. A successful code completes authentication. This authentication flow isn't eligible for multi-factor authentication (MFA).
+Passwords can be lost or stolen. You might want to verify only that your users have access to a verified email address, phone number, or authenticator app. The solution to this is _passwordless_ sign-in. Your application can prompt users to enter their username, email address, or phone number. Amazon Cognito then generates a one-time password (OTP), a code that they must confirm. A successful code completes authentication.
+
+Passwordless authentication flows aren't compatible with required multi-factor authentication (MFA) in your user pool. If MFA is optional in your user pool, users who have activated MFA can't sign in with a passwordless first factor. Users who don't have an MFA preference in an MFA-optional user pool can sign in with passwordless factors. For more information, see [Things to know about user pool MFA](./user-pool-settings-mfa.html#user-pool-settings-mfa-prerequisites).
@@ -438 +440 @@ This would also be the next challenge response if you requested `EMAIL_OTP` as a
-## Passkey sign-in
+## Passwordless sign-in with WebAuthn passkeys
@@ -443,0 +446,2 @@ You might want to replace passwords with the thumbprint, face, or security-key a
+Passwordless authentication flows aren't compatible with required multi-factor authentication (MFA) in your user pool. If MFA is optional in your user pool, users who have activated MFA can't sign in with a passwordless first factor. Users who don't have an MFA preference in an MFA-optional user pool can sign in with passwordless factors. For more information, see [Things to know about user pool MFA](./user-pool-settings-mfa.html#user-pool-settings-mfa-prerequisites).
+
@@ -471 +475 @@ Passkeys are _discoverable_. They can be automatically recognized and used by a
-Passkeys are an opt-in feature that's available in all [feature plans](./cognito-sign-in-feature-plans.html) other than **Lite**. It is only available in the [choice-based authentication flow](./authentication-flows-selection-sdk.html#authentication-flows-selection-choice). With [managed login](./authentication-flows-selection-managedlogin.html), Amazon Cognito handles the logic of passkey authentication. You can also use the [Amazon Cognito user pools API in AWS SDKs](./amazon-cognito-user-pools-authentication-flow-methods.html) to do passkey authentication in your application back end.
+Passkeys are an opt-in feature that's available in all [feature plans](./cognito-sign-in-feature-plans.html) except for **Lite**. It is only available in the [choice-based authentication flow](./authentication-flows-selection-sdk.html#authentication-flows-selection-choice). With [managed login](./authentication-flows-selection-managedlogin.html), Amazon Cognito handles the logic of passkey authentication. You can also use the [Amazon Cognito user pools API in AWS SDKs](./amazon-cognito-user-pools-authentication-flow-methods.html) to do passkey authentication in your application back end.