AWS Security ChangesHomeSearch

AWS cli documentation change

Service: cli · 2025-08-22 · Documentation low

File: cli/latest/reference/cognito-idp/initiate-auth.md

Summary

Updated authentication flow documentation with detailed parameters, added DEVICE_KEY guidance for MFA bypass, and clarified challenge response requirements

Security assessment

The changes clarify security-related parameters like SECRET_HASH and DEVICE_KEY usage, particularly noting that DEVICE_KEY can bypass MFA with remembered devices. While this documents security features (device authentication and client secret requirements), there's no evidence of addressing a specific vulnerability.

Diff

diff --git a/cli/latest/reference/cognito-idp/initiate-auth.md b/cli/latest/reference/cognito-idp/initiate-auth.md
index bec354eca..820def0a5 100644
--- a//cli/latest/reference/cognito-idp/initiate-auth.md
+++ b//cli/latest/reference/cognito-idp/initiate-auth.md
@@ -15 +15 @@
-  * [AWS CLI 2.28.12 Command Reference](../../index.html) »
+  * [AWS CLI 2.28.15 Command Reference](../../index.html) »
@@ -152 +152 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/cognit
-> The required values are specific to the InitiateAuthRequest$AuthFlow .
+> The following are some authentication flows and their parameters. Add a `SECRET_HASH` parameter if your app client has a client secret. Add `DEVICE_KEY` if you want to bypass multi-factor authentication with a remembered device.
@@ -154 +154,29 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/cognit
-> The following are some authentication flows and their parameters. Add a `SECRET_HASH` parameter if your app client has a client secret.
+>> USER_AUTH
+> 
+>   * `USERNAME` (required)
+> 
+>   * `PREFERRED_CHALLENGE` . If you don’t provide a value for `PREFERRED_CHALLENGE` , Amazon Cognito responds with the `AvailableChallenges` parameter that specifies the available sign-in methods.
+> 
+> USER_SRP_AUTH
+> 
+>   * `USERNAME` (required)
+> 
+>   * `SRP_A` (required)
+> 
+> USER_PASSWORD_AUTH
+> 
+>   * `USERNAME` (required)
+> 
+>   * `PASSWORD` (required)
+> 
+> REFRESH_TOKEN_AUTH/REFRESH_TOKEN
+> 
+>   * `REFRESH_TOKEN` (required)
+> 
+> CUSTOM_AUTH
+> 
+>   * `USERNAME` (required)
+> 
+>   * `ChallengeName: SRP_A` (when doing SRP authentication before custom challenges)
+> 
+>   * `SRP_A: (An SRP_A value)` (when doing SRP authentication before custom challenges)
@@ -156,5 +183,0 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/cognit
->   * `USER_AUTH` : `USERNAME` (required), `PREFERRED_CHALLENGE` . If you don’t provide a value for `PREFERRED_CHALLENGE` , Amazon Cognito responds with the `AvailableChallenges` parameter that specifies the available sign-in methods.
->   * `USER_SRP_AUTH` : `USERNAME` (required), `SRP_A` (required), `DEVICE_KEY` .
->   * `USER_PASSWORD_AUTH` : `USERNAME` (required), `PASSWORD` (required), `DEVICE_KEY` .
->   * `REFRESH_TOKEN_AUTH/REFRESH_TOKEN` : `REFRESH_TOKEN` (required), `DEVICE_KEY` .
->   * `CUSTOM_AUTH` : `USERNAME` (required), `SECRET_HASH` (if app client is configured with client secret), `DEVICE_KEY` . To start the authentication flow with password verification, include `ChallengeName: SRP_A` and `SRP_A: (The SRP_A Value)` .
@@ -444,10 +467,12 @@ ChallengeName -> (string)
-> All of the following challenges require `USERNAME` and, when the app client has a client secret, `SECRET_HASH` in the parameters.
-> 
->   * `WEB_AUTHN` : Respond to the challenge with the results of a successful authentication with a WebAuthn authenticator, or passkey. Examples of WebAuthn authenticators include biometric devices and security keys.
->   * `PASSWORD` : Respond with `USER_PASSWORD_AUTH` parameters: `USERNAME` (required), `PASSWORD` (required), `SECRET_HASH` (required if the app client is configured with a client secret), `DEVICE_KEY` .
->   * `PASSWORD_SRP` : Respond with `USER_SRP_AUTH` parameters: `USERNAME` (required), `SRP_A` (required), `SECRET_HASH` (required if the app client is configured with a client secret), `DEVICE_KEY` .
->   * `SELECT_CHALLENGE` : Respond to the challenge with `USERNAME` and an `ANSWER` that matches one of the challenge types in the `AvailableChallenges` response parameter.
->   * `SMS_MFA` : Respond with an `SMS_MFA_CODE` that your user pool delivered in an SMS message.
->   * `EMAIL_OTP` : Respond with an `EMAIL_OTP_CODE` that your user pool delivered in an email message.
->   * `PASSWORD_VERIFIER` : Respond with `PASSWORD_CLAIM_SIGNATURE` , `PASSWORD_CLAIM_SECRET_BLOCK` , and `TIMESTAMP` after client-side SRP calculations.
->   * `CUSTOM_CHALLENGE` : This is returned if your custom authentication flow determines that the user should pass another challenge before tokens are issued. The parameters of the challenge are determined by your Lambda function.
+> All of the following challenges require `USERNAME` and, when the app client has a client secret, `SECRET_HASH` in the parameters. Include a `DEVICE_KEY` for device authentication.
+> 
+>   * `WEB_AUTHN` : Respond to the challenge with the results of a successful authentication with a WebAuthn authenticator, or passkey, as `CREDENTIAL` . Examples of WebAuthn authenticators include biometric devices and security keys.
+>   * `PASSWORD` : Respond with the user’s password as `PASSWORD` .
+>   * `PASSWORD_SRP` : Respond with the initial SRP secret as `SRP_A` .
+>   * `SELECT_CHALLENGE` : Respond with a challenge selection as `ANSWER` . It must be one of the challenge types in the `AvailableChallenges` response parameter. Add the parameters of the selected challenge, for example `USERNAME` and `SMS_OTP` .
+>   * `SMS_MFA` : Respond with the code that your user pool delivered in an SMS message, as `SMS_MFA_CODE`
+>   * `EMAIL_MFA` : Respond with the code that your user pool delivered in an email message, as `EMAIL_MFA_CODE`
+>   * `EMAIL_OTP` : Respond with the code that your user pool delivered in an email message, as `EMAIL_OTP_CODE` .
+>   * `SMS_OTP` : Respond with the code that your user pool delivered in an SMS message, as `SMS_OTP_CODE` .
+>   * `PASSWORD_VERIFIER` : Respond with the second stage of SRP secrets as `PASSWORD_CLAIM_SIGNATURE` , `PASSWORD_CLAIM_SECRET_BLOCK` , and `TIMESTAMP` .
+>   * `CUSTOM_CHALLENGE` : This is returned if your custom authentication flow determines that the user should pass another challenge before tokens are issued. The parameters of the challenge are determined by your Lambda function and issued in the `ChallengeParameters` of a challenge response.
@@ -534 +559 @@ AvailableChallenges -> (list)
-  * [AWS CLI 2.28.12 Command Reference](../../index.html) »
+  * [AWS CLI 2.28.15 Command Reference](../../index.html) »