AWS Security ChangesHomeSearch

AWS cli documentation change

Service: cli · 2025-08-22 · Documentation low

File: cli/latest/reference/cognito-idp/respond-to-auth-challenge.md

Summary

Updated challenge response documentation: Added WEB_AUTHN details, clarified parameters for PASSWORD/PASSWORD_SRP, introduced EMAIL_MFA/SMS_OTP challenges, standardized device authentication requirements, and added example structures.

Security assessment

The changes enhance documentation of authentication challenges (including WebAuthn and new MFA options) and clarify security parameters like SECRET_HASH and DEVICE_KEY usage. While this improves security guidance, there's no evidence of a specific vulnerability being addressed.

Diff

diff --git a/cli/latest/reference/cognito-idp/respond-to-auth-challenge.md b/cli/latest/reference/cognito-idp/respond-to-auth-challenge.md
index ebf49ef85..0f545d97a 100644
--- a//cli/latest/reference/cognito-idp/respond-to-auth-challenge.md
+++ b//cli/latest/reference/cognito-idp/respond-to-auth-challenge.md
@@ -15 +15 @@
-  * [AWS CLI 2.28.12 Command Reference](../../index.html) »
+  * [AWS CLI 2.28.15 Command Reference](../../index.html) »
@@ -127,10 +127,12 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/cognit
-> All of the following challenges require `USERNAME` and, when the app client has a client secret, `SECRET_HASH` in the parameters.
-> 
->   * `WEB_AUTHN` : Respond to the challenge with the results of a successful authentication with a WebAuthn authenticator, or passkey. Examples of WebAuthn authenticators include biometric devices and security keys.
->   * `PASSWORD` : Respond with `USER_PASSWORD_AUTH` parameters: `USERNAME` (required), `PASSWORD` (required), `SECRET_HASH` (required if the app client is configured with a client secret), `DEVICE_KEY` .
->   * `PASSWORD_SRP` : Respond with `USER_SRP_AUTH` parameters: `USERNAME` (required), `SRP_A` (required), `SECRET_HASH` (required if the app client is configured with a client secret), `DEVICE_KEY` .
->   * `SELECT_CHALLENGE` : Respond to the challenge with `USERNAME` and an `ANSWER` that matches one of the challenge types in the `AvailableChallenges` response parameter.
->   * `SMS_MFA` : Respond with an `SMS_MFA_CODE` that your user pool delivered in an SMS message.
->   * `EMAIL_OTP` : Respond with an `EMAIL_OTP_CODE` that your user pool delivered in an email message.
->   * `PASSWORD_VERIFIER` : Respond with `PASSWORD_CLAIM_SIGNATURE` , `PASSWORD_CLAIM_SECRET_BLOCK` , and `TIMESTAMP` after client-side SRP calculations.
->   * `CUSTOM_CHALLENGE` : This is returned if your custom authentication flow determines that the user should pass another challenge before tokens are issued. The parameters of the challenge are determined by your Lambda function.
+> All of the following challenges require `USERNAME` and, when the app client has a client secret, `SECRET_HASH` in the parameters. Include a `DEVICE_KEY` for device authentication.
+> 
+>   * `WEB_AUTHN` : Respond to the challenge with the results of a successful authentication with a WebAuthn authenticator, or passkey, as `CREDENTIAL` . Examples of WebAuthn authenticators include biometric devices and security keys.
+>   * `PASSWORD` : Respond with the user’s password as `PASSWORD` .
+>   * `PASSWORD_SRP` : Respond with the initial SRP secret as `SRP_A` .
+>   * `SELECT_CHALLENGE` : Respond with a challenge selection as `ANSWER` . It must be one of the challenge types in the `AvailableChallenges` response parameter. Add the parameters of the selected challenge, for example `USERNAME` and `SMS_OTP` .
+>   * `SMS_MFA` : Respond with the code that your user pool delivered in an SMS message, as `SMS_MFA_CODE`
+>   * `EMAIL_MFA` : Respond with the code that your user pool delivered in an email message, as `EMAIL_MFA_CODE`
+>   * `EMAIL_OTP` : Respond with the code that your user pool delivered in an email message, as `EMAIL_OTP_CODE` .
+>   * `SMS_OTP` : Respond with the code that your user pool delivered in an SMS message, as `SMS_OTP_CODE` .
+>   * `PASSWORD_VERIFIER` : Respond with the second stage of SRP secrets as `PASSWORD_CLAIM_SIGNATURE` , `PASSWORD_CLAIM_SECRET_BLOCK` , and `TIMESTAMP` .
+>   * `CUSTOM_CHALLENGE` : This is returned if your custom authentication flow determines that the user should pass another challenge before tokens are issued. The parameters of the challenge are determined by your Lambda function and issued in the `ChallengeParameters` of a challenge response.
@@ -204 +206 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/cognit
-> SMS_OTP
+> WEB_AUTHN
@@ -208,0 +211,14 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/cognit
+>> `"ChallengeName": "WEB_AUTHN", "ChallengeResponses": { "USERNAME": "[username]", "CREDENTIAL": "[AuthenticationResponseJSON]"}`
+> 
+> See [AuthenticationResponseJSON](https://www.w3.org/TR/WebAuthn-3/#dictdef-authenticationresponsejson) .
+>
+>> > PASSWORD
+>> 
+>> `"ChallengeName": "PASSWORD", "ChallengeResponses": { "USERNAME": "[username]", "PASSWORD": "[password]"}`
+>>
+>>> PASSWORD_SRP
+>> 
+>> `"ChallengeName": "PASSWORD_SRP", "ChallengeResponses": { "USERNAME": "[username]", "SRP_A": "[SRP_A]"}`
+>>
+>>> SMS_OTP
+>> 
@@ -224,3 +240 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/cognit
-> 
-> Add `"DEVICE_KEY"` when you sign in with a remembered device.
->
+>>
@@ -230,3 +244 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/cognit
-> 
-> Add `"DEVICE_KEY"` when you sign in with a remembered device.
->
+>>
@@ -261 +273 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/cognit
-> `"ChallengeName": "SELECT_MFA_TYPE", "ChallengeResponses": {"USERNAME": "[username]", "ANSWER": "[SMS_MFA or SOFTWARE_TOKEN_MFA]"}`
+> `"ChallengeName": "SELECT_MFA_TYPE", "ChallengeResponses": {"USERNAME": "[username]", "ANSWER": "[SMS_MFA|EMAIL_MFA|SOFTWARE_TOKEN_MFA]"}`
@@ -574,10 +586,12 @@ ChallengeName -> (string)
-> All of the following challenges require `USERNAME` and, when the app client has a client secret, `SECRET_HASH` in the parameters.
-> 
->   * `WEB_AUTHN` : Respond to the challenge with the results of a successful authentication with a WebAuthn authenticator, or passkey. Examples of WebAuthn authenticators include biometric devices and security keys.
->   * `PASSWORD` : Respond with `USER_PASSWORD_AUTH` parameters: `USERNAME` (required), `PASSWORD` (required), `SECRET_HASH` (required if the app client is configured with a client secret), `DEVICE_KEY` .
->   * `PASSWORD_SRP` : Respond with `USER_SRP_AUTH` parameters: `USERNAME` (required), `SRP_A` (required), `SECRET_HASH` (required if the app client is configured with a client secret), `DEVICE_KEY` .
->   * `SELECT_CHALLENGE` : Respond to the challenge with `USERNAME` and an `ANSWER` that matches one of the challenge types in the `AvailableChallenges` response parameter.
->   * `SMS_MFA` : Respond with an `SMS_MFA_CODE` that your user pool delivered in an SMS message.
->   * `EMAIL_OTP` : Respond with an `EMAIL_OTP_CODE` that your user pool delivered in an email message.
->   * `PASSWORD_VERIFIER` : Respond with `PASSWORD_CLAIM_SIGNATURE` , `PASSWORD_CLAIM_SECRET_BLOCK` , and `TIMESTAMP` after client-side SRP calculations.
->   * `CUSTOM_CHALLENGE` : This is returned if your custom authentication flow determines that the user should pass another challenge before tokens are issued. The parameters of the challenge are determined by your Lambda function.
+> All of the following challenges require `USERNAME` and, when the app client has a client secret, `SECRET_HASH` in the parameters. Include a `DEVICE_KEY` for device authentication.
+> 
+>   * `WEB_AUTHN` : Respond to the challenge with the results of a successful authentication with a WebAuthn authenticator, or passkey, as `CREDENTIAL` . Examples of WebAuthn authenticators include biometric devices and security keys.
+>   * `PASSWORD` : Respond with the user’s password as `PASSWORD` .
+>   * `PASSWORD_SRP` : Respond with the initial SRP secret as `SRP_A` .
+>   * `SELECT_CHALLENGE` : Respond with a challenge selection as `ANSWER` . It must be one of the challenge types in the `AvailableChallenges` response parameter. Add the parameters of the selected challenge, for example `USERNAME` and `SMS_OTP` .
+>   * `SMS_MFA` : Respond with the code that your user pool delivered in an SMS message, as `SMS_MFA_CODE`
+>   * `EMAIL_MFA` : Respond with the code that your user pool delivered in an email message, as `EMAIL_MFA_CODE`
+>   * `EMAIL_OTP` : Respond with the code that your user pool delivered in an email message, as `EMAIL_OTP_CODE` .
+>   * `SMS_OTP` : Respond with the code that your user pool delivered in an SMS message, as `SMS_OTP_CODE` .
+>   * `PASSWORD_VERIFIER` : Respond with the second stage of SRP secrets as `PASSWORD_CLAIM_SIGNATURE` , `PASSWORD_CLAIM_SECRET_BLOCK` , and `TIMESTAMP` .
+>   * `CUSTOM_CHALLENGE` : This is returned if your custom authentication flow determines that the user should pass another challenge before tokens are issued. The parameters of the challenge are determined by your Lambda function and issued in the `ChallengeParameters` of a challenge response.
@@ -656 +670 @@ AuthenticationResult -> (structure)
-  * [AWS CLI 2.28.12 Command Reference](../../index.html) »
+  * [AWS CLI 2.28.15 Command Reference](../../index.html) »