AWS cognito documentation change
Summary
Clarified password lockout behavior for failed sign-in attempts
Security assessment
Enhanced documentation about security controls (account lockout mechanisms) but no evidence of addressing a specific vulnerability. Improves clarity of existing security feature.
Diff
diff --git a/cognito/latest/developerguide/authentication.md b/cognito/latest/developerguide/authentication.md index c26d23a7a..f51b4f956 100644 --- a//cognito/latest/developerguide/authentication.md +++ b//cognito/latest/developerguide/authentication.md @@ -194 +194,3 @@ For more information about app clients, see [Application-specific settings with -After five failed unauthenticated or IAM-authorized sign-in attempts with a password, Amazon Cognito locks out your user for one second. The lockout duration then doubles after each additional one failed attempt, up to a maximum of approximately 15 minutes. Attempts made during a lockout period generate a `Password attempts exceeded` exception, and don't affect the duration of subsequent lockout periods. For a cumulative number of failed sign-in attempts _n_ , not including `Password attempts exceeded` exceptions, Amazon Cognito locks out your user for _2^(n-5)_ seconds. To reset the lockout to its _n=0_ initial state, your user must either sign in successfully after a lockout period expires, or not initiate any sign-in attempts for 15 consecutive minutes at any time after a lockout. This behavior is subject to change. This behavior doesn't apply to custom challenges unless they also perform password-based authentication. +After five failed sign-in attempts with a user's password, regardless of whether those are requested with unauthenticated or IAM-authorized API operations, Amazon Cognito locks out your user for one second. The lockout duration then doubles after each additional one failed attempt, up to a maximum of approximately 15 minutes. + +Attempts made during a lockout period generate a `Password attempts exceeded` exception, and don't affect the duration of subsequent lockout periods. For a cumulative number of failed sign-in attempts _n_ , not including `Password attempts exceeded` exceptions, Amazon Cognito locks out your user for _2^(n-5)_ seconds. To reset the lockout to its _n=0_ initial state, your user must either sign in successfully after a lockout period expires, or not initiate any sign-in attempts for 15 consecutive minutes at any time after a lockout. This behavior is subject to change. This behavior doesn't apply to custom challenges unless they also perform password-based authentication.