AWS cognito documentation change
Summary
Expanded authentication methods documentation (WebAuthn passkeys, OTP via email/SMS, Lambda challenges) and updated IAM terminology
Security assessment
Adds documentation about security features like WebAuthn and OTP authentication methods, but does not address specific vulnerabilities. The IAM terminology change ('authenticated' to 'authorized') is non-substantive.
Diff
diff --git a/cognito/latest/developerguide/authentication.md b/cognito/latest/developerguide/authentication.md index 46a1ca2cb..cf8da2343 100644 --- a//cognito/latest/developerguide/authentication.md +++ b//cognito/latest/developerguide/authentication.md @@ -9 +9,3 @@ Implement authentication flowsThings to knowAuthentication flow example -Amazon Cognito includes several methods to authenticate your users. All user pools, whether you have a domain or not, can authenticate users in the user pools API. If you add a domain to your user pool, you can use the [user pool endpoints](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-userpools-server-contract-reference.html). The user pools API supports a variety of authorization models and request flows for API requests. +Amazon Cognito includes several methods to authenticate your users. Users can sign in with passwords and WebAuthn passkeys. Amazon Cognito can send them a one-time password in an email or SMS message. You can implement Lambda functions that orchestrate your own sequence of challenges and responses. These are _authentication flows_. In authentication flows, users provide a secret and Amazon Cognito verifies the secret, then issues JSON web tokens (JWTs) for applications to process with OIDC libraries. In this chapter, we'll talk about how to configure your user pools and app clients for various authentication flows in various application environments. You'll learn about options for the use of the hosted sign-in pages of managed login, and for building your own logic and front end in an AWS SDK. + +All user pools, whether you have a domain or not, can authenticate users in the user pools API. If you add a domain to your user pool, you can use the [user pool endpoints](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-userpools-server-contract-reference.html). The user pools API supports a variety of authorization models and request flows for API requests. @@ -194 +196 @@ For more information about app clients, see [Application-specific settings with -After five failed unauthenticated or IAM-authenticated sign-in attempts with a password, Amazon Cognito locks out your user for one second. The lockout duration then doubles after each additional one failed attempt, up to a maximum of approximately 15 minutes. Attempts made during a lockout period generate a `Password attempts exceeded` exception, and don't affect the duration of subsequent lockout periods. For a cumulative number of failed sign-in attempts _n_ , not including `Password attempts exceeded` exceptions, Amazon Cognito locks out your user for _2^(n-5)_ seconds. To reset the lockout to its _n=0_ initial state, your user must either sign in successfully after a lockout period expires, or not initiate any sign-in attempts for 15 consecutive minutes at any time after a lockout. This behavior is subject to change. This behavior doesn't apply to custom challenges unless they also perform password-based authentication. +After five failed unauthenticated or IAM-authorized sign-in attempts with a password, Amazon Cognito locks out your user for one second. The lockout duration then doubles after each additional one failed attempt, up to a maximum of approximately 15 minutes. Attempts made during a lockout period generate a `Password attempts exceeded` exception, and don't affect the duration of subsequent lockout periods. For a cumulative number of failed sign-in attempts _n_ , not including `Password attempts exceeded` exceptions, Amazon Cognito locks out your user for _2^(n-5)_ seconds. To reset the lockout to its _n=0_ initial state, your user must either sign in successfully after a lockout period expires, or not initiate any sign-in attempts for 15 consecutive minutes at any time after a lockout. This behavior is subject to change. This behavior doesn't apply to custom challenges unless they also perform password-based authentication.