AWS Security ChangesHomeSearch

AWS cognito documentation change

Service: cognito · 2025-07-25 · Documentation medium

File: cognito/latest/developerguide/authentication.md

Summary

Clarified password lockout behavior for failed sign-in attempts

Security assessment

Enhanced documentation about security controls (account lockout mechanisms) but no evidence of addressing a specific vulnerability. Improves clarity of existing security feature.

Diff

diff --git a/cognito/latest/developerguide/authentication.md b/cognito/latest/developerguide/authentication.md
index c26d23a7a..f51b4f956 100644
--- a//cognito/latest/developerguide/authentication.md
+++ b//cognito/latest/developerguide/authentication.md
@@ -194 +194,3 @@ For more information about app clients, see [Application-specific settings with
-After five failed unauthenticated or IAM-authorized sign-in attempts with a password, Amazon Cognito locks out your user for one second. The lockout duration then doubles after each additional one failed attempt, up to a maximum of approximately 15 minutes. Attempts made during a lockout period generate a `Password attempts exceeded` exception, and don't affect the duration of subsequent lockout periods. For a cumulative number of failed sign-in attempts _n_ , not including `Password attempts exceeded` exceptions, Amazon Cognito locks out your user for _2^(n-5)_ seconds. To reset the lockout to its _n=0_ initial state, your user must either sign in successfully after a lockout period expires, or not initiate any sign-in attempts for 15 consecutive minutes at any time after a lockout. This behavior is subject to change. This behavior doesn't apply to custom challenges unless they also perform password-based authentication.
+After five failed sign-in attempts with a user's password, regardless of whether those are requested with unauthenticated or IAM-authorized API operations, Amazon Cognito locks out your user for one second. The lockout duration then doubles after each additional one failed attempt, up to a maximum of approximately 15 minutes.
+
+Attempts made during a lockout period generate a `Password attempts exceeded` exception, and don't affect the duration of subsequent lockout periods. For a cumulative number of failed sign-in attempts _n_ , not including `Password attempts exceeded` exceptions, Amazon Cognito locks out your user for _2^(n-5)_ seconds. To reset the lockout to its _n=0_ initial state, your user must either sign in successfully after a lockout period expires, or not initiate any sign-in attempts for 15 consecutive minutes at any time after a lockout. This behavior is subject to change. This behavior doesn't apply to custom challenges unless they also perform password-based authentication.