AWS Security ChangesHomeSearch

AWS cognito documentation change

Service: cognito · 2025-04-03 · Documentation medium

File: cognito/latest/developerguide/user-pool-settings-mfa.md

Summary

Added detailed restrictions about MFA/passwordless compatibility and choice-based sign-in behavior

Security assessment

Documents security configuration details about MFA enforcement and authentication flow restrictions

Diff

diff --git a/cognito/latest/developerguide/user-pool-settings-mfa.md b/cognito/latest/developerguide/user-pool-settings-mfa.md
index 987f8fc73..95b85df9b 100644
--- a//cognito/latest/developerguide/user-pool-settings-mfa.md
+++ b//cognito/latest/developerguide/user-pool-settings-mfa.md
@@ -44 +44,9 @@ Before you set up MFA, consider the following:
-  * You can have either required MFA _or_ passwordless sign-in factors in your user pool. You can't set MFA to required in user pools that support [one-time passwords](./amazon-cognito-user-pools-authentication-flow-methods.html#amazon-cognito-user-pools-authentication-flow-methods-passwordless) or [passkeys](./amazon-cognito-user-pools-authentication-flow-methods.html#amazon-cognito-user-pools-authentication-flow-methods-passkey). You can't activate [choice-based sign-in](./authentication-flows-selection-sdk.html#authentication-flows-selection-choice) with the `USER_AUTH` flow in user pools that require MFA.
+  * Users can either have MFA _or_ sign in with passwordless factors.
+
+    * You can't set MFA to required in user pools that support [one-time passwords](./amazon-cognito-user-pools-authentication-flow-methods.html#amazon-cognito-user-pools-authentication-flow-methods-passwordless) or [passkeys](./amazon-cognito-user-pools-authentication-flow-methods.html#amazon-cognito-user-pools-authentication-flow-methods-passkey).
+
+    * You can't add `WEB_AUTHN`, `EMAIL_OTP`, or `SMS_OTP` to `AllowedFirstAuthFactors` when MFA is required in your user pool. In the Amazon Cognito console, you can't edit **Options for choice-based sign-in** to include passwordless factors.
+
+    * [Choice-based sign-in](./authentication-flows-selection-sdk.html#authentication-flows-selection-choice) only offers `PASSWORD` and `PASSWORD_SRP` factors in all app clients when MFA is required in the user pool. For more information about username-password flows, see [Sign-in with persistent passwords](./amazon-cognito-user-pools-authentication-flow-methods.html#amazon-cognito-user-pools-authentication-flow-methods-password) and [Sign-in with persistent passwords and secure payload](./amazon-cognito-user-pools-authentication-flow-methods.html#amazon-cognito-user-pools-authentication-flow-methods-srp) in the **Authentication** chapter of this guide.
+
+    * In user pools where MFA is optional, users who have configured an MFA factor can only sign in with username-password authentication flows in choice-based sign-in. These users are eligible for all [client-based sign-in](./authentication-flows-selection-sdk.html#authentication-flows-selection-client) flows.
@@ -49,0 +58,2 @@ Your [password recovery](./managing-users-passwords.html#user-pool-password-rese
+The example request body for [UpdateUserPool](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserPool.html#API_UpdateUserPool_Examples) illustrates an `AccountRecoverySetting` where users can fall back to recovery by SMS message when email-message password reset is unavailable.
+