AWS Security ChangesHomeSearch

AWS cognito medium security documentation change

Service: cognito · 2025-05-01 · Security-related medium

File: cognito/latest/developerguide/user-pool-settings-mfa-totp.md

Summary

Clarified that AWS WAF CAPTCHA rules affect TOTP MFA in both managed login and classic hosted UI

Security assessment

The change documents a security-relevant interaction where WAF CAPTCHA rules can cause unrecoverable errors in TOTP MFA setup. This impacts authentication security by potentially blocking MFA configuration in critical login flows.

Diff

diff --git a/cognito/latest/developerguide/user-pool-settings-mfa-totp.md b/cognito/latest/developerguide/user-pool-settings-mfa-totp.md
index cb70f653f..54abdd2ab 100644
--- a//cognito/latest/developerguide/user-pool-settings-mfa-totp.md
+++ b//cognito/latest/developerguide/user-pool-settings-mfa-totp.md
@@ -133 +133 @@ Finally, your app should allow your user to deactivate their TOTP configuration.
-When you have an AWS WAF web ACL associated with a user pool, and a rule in your web ACL presents a CAPTCHA, this can cause an unrecoverable error in managed login and managed login TOTP registration. AWS WAF CAPTCHA rules only affect TOTP MFA in the classic hosted UI in this way. SMS MFA is unaffected. Currently, AWS WAF web ACL rules don't apply to user pool domains with the managed login branding version; see [Things to know about AWS WAF web ACLs and Amazon Cognito](./user-pool-waf.html#user-pool-waf-things-to-know).
+When you have an AWS WAF web ACL associated with a user pool, and a rule in your web ACL presents a CAPTCHA, this can cause an unrecoverable error in managed login and managed login TOTP registration. AWS WAF CAPTCHA rules _only_ have this effect on TOTP MFA in managed login and the classic hosted UI. SMS MFA is unaffected.