AWS Security ChangesHomeSearch

AWS cognito medium security documentation change

Service: cognito · 2025-11-10 · Security-related medium

File: cognito/latest/developerguide/troubleshooting.md

Summary

Added new troubleshooting section for password reset failures due to unverified recovery attributes

Security assessment

Addresses security-related configuration issues with account recovery mechanisms and MFA conflicts that could lock users out or expose recovery methods

Diff

diff --git a/cognito/latest/developerguide/troubleshooting.md b/cognito/latest/developerguide/troubleshooting.md
index f85488681..e3630cdc1 100644
--- a//cognito/latest/developerguide/troubleshooting.md
+++ b//cognito/latest/developerguide/troubleshooting.md
@@ -5 +5 @@
-Custom domain configuration errorsInvalid refresh token errorInvalid SAML response errors in federationManaged login users can't select an MFA factorNot able to receive password reset code through email/SMSSECRET_HASH errorsThe Amazon Cognito console chooses a default configuration for a new user poolAdditional troubleshooting resources
+Custom domain configuration errorsInvalid refresh token errorInvalid SAML response errors in federationManaged login users can't select an MFA factorNot able to receive password reset code through email/SMSPassword reset fails with unverified recovery attributes: Could not reset password for the account, please contact support or try againSECRET_HASH errorsThe Amazon Cognito console chooses a default configuration for a new user poolAdditional troubleshooting resources
@@ -317,0 +318,25 @@ For more information, see [Email settings for Amazon Cognito user pools](./user-
+## Password reset fails with unverified recovery attributes: `Could not reset password for the account, please contact support or try again`
+
+**Problem**
+    
+
+Users receive this error when attempting to reset their password because of unverified recovery methods or MFA configuration conflicts. The error occurs when the user's email or phone number attribute is unverified, or when their MFA settings prevent using the configured recovery method.
+
+**Solution**
+    
+
+Review your user pool's account recovery configuration and the affected user's verification status:
+
+  * **Verify recovery settings:** In your user pool, navigate to **Sign In** > **User Account Recovery**. Ensure **Self service account recovery** is enabled and review your **Recovery message delivery method** setting.
+
+  * **Check user attribute verification:** Verify that the user has a verified email address or phone number that matches your recovery method configuration. In the console, go to the user's profile, select **User attributes** > **Edit** , and mark the appropriate attribute as verified.
+
+  * **Resolve MFA conflicts:** Users whose preferred MFA method is email can't receive password-reset codes by email, and users with SMS MFA can't receive codes by SMS. Update your **Recovery message delivery method** to provide alternative options such as **SMS if available, otherwise email** or **Email if available, otherwise SMS**.
+
+  * **Administrative verification:** Use the API operation [AdminUpdateUserAttributes](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminUpdateUserAttributes.html) to programmatically verify user attributes when console access isn't available.
+
+
+
+
+For more information, see [Passwords, account recovery, and password policies](./managing-users-passwords.html).
+
@@ -375 +400 @@ For additional troubleshooting guidance and community-contributed solutions, you
-  * [AWS re:Post Amazon Cognito community](https://repost.aws/tags/TA4IvCeRIxS_-n3_9K6hBrfw/amazon-cognito) \- Browse community questions and solutions
+  * [AWS re:Post Amazon Cognito community](https://repost.aws/tags/TAkhAE7QaGSoKZwd6utGhGDA/amazon-cognito) \- Browse community questions and solutions