AWS Security ChangesHomeSearch

AWS cognito documentation change

Service: cognito · 2025-07-13 · Documentation low

File: cognito/latest/developerguide/user-pool-settings-mfa.md

Summary

Updated image references with descriptive alt text for accessibility in MFA configuration documentation

Security assessment

Changes only modify image markup syntax to include accessibility-focused alt text descriptions. No security-related content modifications, vulnerability fixes, or new security features documented. The updates improve accessibility but don't impact security controls or address vulnerabilities.

Diff

diff --git a/cognito/latest/developerguide/user-pool-settings-mfa.md b/cognito/latest/developerguide/user-pool-settings-mfa.md
index 95b85df9b..c6b3453b5 100644
--- a//cognito/latest/developerguide/user-pool-settings-mfa.md
+++ b//cognito/latest/developerguide/user-pool-settings-mfa.md
@@ -152 +152 @@ The following list corresponds to the numbering in the decision logic diagram an
-  2. If they succeed username-password authentication, determine whether MFA is required, optional, or off. If it is off, the correct username and password results in successful authentication.  ![](/images/cognito/latest/developerguide/images/checkmark.png)
+  2. If they succeed username-password authentication, determine whether MFA is required, optional, or off. If it is off, the correct username and password results in successful authentication.  ![Green circular icon with a checkmark symbol inside.](/images/cognito/latest/developerguide/images/checkmark.png)
@@ -154 +154 @@ The following list corresponds to the numbering in the decision logic diagram an
-    1. If MFA is optional, determine if the user has previously set up a TOTP authenticator. If they have set up TOTP, prompt for TOTP MFA. If they successfully respond to the MFA challenge, they're signed in.  ![](/images/cognito/latest/developerguide/images/checkmark.png)
+    1. If MFA is optional, determine if the user has previously set up a TOTP authenticator. If they have set up TOTP, prompt for TOTP MFA. If they successfully respond to the MFA challenge, they're signed in.  ![Green circular icon with a checkmark symbol inside.](/images/cognito/latest/developerguide/images/checkmark.png)
@@ -156 +156 @@ The following list corresponds to the numbering in the decision logic diagram an
-    2. Determine if the adaptive authentication feature of threat protection has required the user to set up MFA. If it hasn't assigned MFA, the user is signed in.  ![](/images/cognito/latest/developerguide/images/checkmark.png)
+    2. Determine if the adaptive authentication feature of threat protection has required the user to set up MFA. If it hasn't assigned MFA, the user is signed in.  ![Green circular icon with a checkmark symbol inside.](/images/cognito/latest/developerguide/images/checkmark.png)
@@ -158 +158 @@ The following list corresponds to the numbering in the decision logic diagram an
-  3. If MFA is required or adaptive authentication has assigned MFA, determine if the user has set an MFA factor as enabled and preferred. If they have, prompt for MFA with that factor. If they successfully respond to the MFA challenge, they're signed in.  ![](/images/cognito/latest/developerguide/images/checkmark.png)
+  3. If MFA is required or adaptive authentication has assigned MFA, determine if the user has set an MFA factor as enabled and preferred. If they have, prompt for MFA with that factor. If they successfully respond to the MFA challenge, they're signed in.  ![Green circular icon with a checkmark symbol inside.](/images/cognito/latest/developerguide/images/checkmark.png)
@@ -166 +166 @@ The following list corresponds to the numbering in the decision logic diagram an
-    3. If neither email nor SMS MFA is available, prompt the user for TOTP MFA. If they successfully respond to the MFA challenge, they're signed in.  ![](/images/cognito/latest/developerguide/images/checkmark.png)
+    3. If neither email nor SMS MFA is available, prompt the user for TOTP MFA. If they successfully respond to the MFA challenge, they're signed in.  ![Green circular icon with a checkmark symbol inside.](/images/cognito/latest/developerguide/images/checkmark.png)
@@ -172 +172 @@ The following list corresponds to the numbering in the decision logic diagram an
-    6. Prompt the user for the factor that they select in response to the `SELECT_MFA_TYPE` challenge. If they successfully respond to the MFA challenge, they're signed in.  ![](/images/cognito/latest/developerguide/images/checkmark.png)
+    6. Prompt the user for the factor that they select in response to the `SELECT_MFA_TYPE` challenge. If they successfully respond to the MFA challenge, they're signed in.  ![Green circular icon with a checkmark symbol inside.](/images/cognito/latest/developerguide/images/checkmark.png)
@@ -176 +176 @@ The following list corresponds to the numbering in the decision logic diagram an
-  6. If the user has only an email address or only a phone number, determine whether that attribute is also the method the user pool implements to send account-recovery messages for password reset. If true, they can't complete sign-in with MFA required and Amazon Cognito returns an error. To activate sign-in for this user, you must add a non-recovery attribute or register a TOTP authenticator for them.  ![](/images/cognito/latest/developerguide/images/error.png)
+  6. If the user has only an email address or only a phone number, determine whether that attribute is also the method the user pool implements to send account-recovery messages for password reset. If true, they can't complete sign-in with MFA required and Amazon Cognito returns an error. To activate sign-in for this user, you must add a non-recovery attribute or register a TOTP authenticator for them.  ![Red square icon with white exclamation mark, indicating a warning or alert.](/images/cognito/latest/developerguide/images/error.png)
@@ -180 +180 @@ The following list corresponds to the numbering in the decision logic diagram an
-    2. If they have a non-recovery email address attribute and email MFA is enabled, prompt them with an `EMAIL_OTP` challenge. If they successfully respond to the MFA challenge, they're signed in.  ![](/images/cognito/latest/developerguide/images/checkmark.png)
+    2. If they have a non-recovery email address attribute and email MFA is enabled, prompt them with an `EMAIL_OTP` challenge. If they successfully respond to the MFA challenge, they're signed in.  ![Green circular icon with a checkmark symbol inside.](/images/cognito/latest/developerguide/images/checkmark.png)
@@ -182 +182 @@ The following list corresponds to the numbering in the decision logic diagram an
-    3. If they have a non-recovery phone number attribute and SMS MFA is enabled, prompt them with an `SMS_MFA` challenge. If they successfully respond to the MFA challenge, they're signed in.  ![](/images/cognito/latest/developerguide/images/checkmark.png)
+    3. If they have a non-recovery phone number attribute and SMS MFA is enabled, prompt them with an `SMS_MFA` challenge. If they successfully respond to the MFA challenge, they're signed in.  ![Green circular icon with a checkmark symbol inside.](/images/cognito/latest/developerguide/images/checkmark.png)
@@ -184 +184 @@ The following list corresponds to the numbering in the decision logic diagram an
-    4. If they don't have an attribute that's eligible for an enabled email or SMS MFA factor, determine whether TOTP MFA is enabled. If TOTP MFA is disabled, they can't complete sign-in with MFA required and Amazon Cognito returns an error. To activate sign-in for this user, you must add a non-recovery attribute or register a TOTP authenticator for them.  ![](/images/cognito/latest/developerguide/images/error.png)
+    4. If they don't have an attribute that's eligible for an enabled email or SMS MFA factor, determine whether TOTP MFA is enabled. If TOTP MFA is disabled, they can't complete sign-in with MFA required and Amazon Cognito returns an error. To activate sign-in for this user, you must add a non-recovery attribute or register a TOTP authenticator for them.  ![Red square icon with white exclamation mark, indicating a warning or alert.](/images/cognito/latest/developerguide/images/error.png)
@@ -192 +192 @@ This step has already been evaluated as **No** if the user has a TOTP authentica
-    6. After the user responds to the `MFA_SETUP` challenge with the session token from a [VerifySoftwareToken](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_VerifySoftwareToken.html) request, prompt them with an `SOFTWARE_TOKEN_MFA` challenge. If they successfully respond to the MFA challenge, they're signed in.  ![](/images/cognito/latest/developerguide/images/checkmark.png)
+    6. After the user responds to the `MFA_SETUP` challenge with the session token from a [VerifySoftwareToken](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_VerifySoftwareToken.html) request, prompt them with an `SOFTWARE_TOKEN_MFA` challenge. If they successfully respond to the MFA challenge, they're signed in.  ![Green circular icon with a checkmark symbol inside.](/images/cognito/latest/developerguide/images/checkmark.png)
@@ -200 +200 @@ This step has already been evaluated as **No** if the user has a TOTP authentica
-    3. Prompt them for the factor that they select in response to the `SELECT_MFA_TYPE` challenge. If they successfully respond to the MFA challenge, they're signed in.  ![](/images/cognito/latest/developerguide/images/checkmark.png)
+    3. Prompt them for the factor that they select in response to the `SELECT_MFA_TYPE` challenge. If they successfully respond to the MFA challenge, they're signed in.  ![Green circular icon with a checkmark symbol inside.](/images/cognito/latest/developerguide/images/checkmark.png)
@@ -202 +202 @@ This step has already been evaluated as **No** if the user has a TOTP authentica
-    4. If only one attribute is an eligible MFA factor, prompt them with a challenge for the remaining factor. If they successfully respond to the MFA challenge, they're signed in.  ![](/images/cognito/latest/developerguide/images/checkmark.png)
+    4. If only one attribute is an eligible MFA factor, prompt them with a challenge for the remaining factor. If they successfully respond to the MFA challenge, they're signed in.  ![Green circular icon with a checkmark symbol inside.](/images/cognito/latest/developerguide/images/checkmark.png)
@@ -216 +216 @@ For email MFA, respond with `"ChallengeName": "MFA_SETUP", "ChallengeResponses":
-    1. Prompt them for the factor that they select in response to the `SELECT_MFA_TYPE` challenge. If they successfully respond to the MFA challenge, they're signed in.  ![](/images/cognito/latest/developerguide/images/checkmark.png)
+    1. Prompt them for the factor that they select in response to the `SELECT_MFA_TYPE` challenge. If they successfully respond to the MFA challenge, they're signed in.  ![Green circular icon with a checkmark symbol inside.](/images/cognito/latest/developerguide/images/checkmark.png)