AWS Security ChangesHomeSearch

AWS cognito medium security documentation change

Service: cognito · 2025-11-10 · Security-related medium

File: cognito/latest/developerguide/user-pool-settings-mfa.md

Summary

Added new section 'Prevent the use of the same factor for sign-in and MFA' with configuration guidance

Security assessment

Addresses security weakness where using same factor for sign-in and MFA (e.g., email OTP for both) reduces security effectiveness. Provides explicit guidance to prevent this misconfiguration, which could otherwise negate MFA benefits.

Diff

diff --git a/cognito/latest/developerguide/user-pool-settings-mfa.md b/cognito/latest/developerguide/user-pool-settings-mfa.md
index 64d8596b5..f54ac3a68 100644
--- a//cognito/latest/developerguide/user-pool-settings-mfa.md
+++ b//cognito/latest/developerguide/user-pool-settings-mfa.md
@@ -107,0 +108,28 @@ Users can set up multiple MFA factors. Only one can be active. You can choose th
+### Prevent the use of the same factor for sign-in and MFA
+
+It's possible to configure your user pool in a way that makes one sign-in factor the only available sign-in and MFA option for some or all users. This result can happen when your primary sign-in use case is email-message or SMS-message one-time passwords (OTPs). A user's preferred MFA might be the same type of factor as their sign-in under the following conditions:
+
+  * MFA is required in the user pool.
+
+  * Email and SMS OTP are available sign-in _and_ MFA options in the user pool.
+
+  * The user signs in with email or SMS message OTP.
+
+  * They have an email-address attribute but no phone-number attribute, or a phone-number attribute but no email-address attribute.
+
+
+
+
+In this scenario, the user can sign in with an email OTP and complete MFA with an email OTP. This option cancels out the essential function of MFA. Users who sign in with one-time passwords must be able to use different delivery methods for sign-in than for MFA. When users have both SMS and email options, Amazon Cognito automatically assigns a different factor. For example, when a user signs in with email OTP, their preferred MFA is SMS OTP.
+
+Take the following steps to address same-factor authentication when your user pool supports OTP authentication for both sign-in and MFA.
+
+  1. Enable both email and SMS OTP as sign-in factors.
+
+  2. Enable both email and SMS OTP as MFA factors.
+
+  3. Collect
+
+
+
+