AWS cognito documentation change
Summary
Clarified and updated documentation regarding passwordless authentication, OTP, passkeys, and MFA compatibility. Added details about FactorConfiguration setting (SINGLE_FACTOR, MULTI_FACTOR_WITH_USER_VERIFICATION) and how passkey authentication can satisfy MFA requirements.
Security assessment
This change adds and clarifies documentation about security features (MFA, passkey authentication, user verification). It explains how to configure passkey authentication to meet MFA requirements, which is a security enhancement. However, there is no evidence in the diff that this change is directly addressing a specific security vulnerability, weakness, or incident. It appears to be a feature documentation update.
Diff
diff --git a/cognito/latest/developerguide/amazon-cognito-user-pools-authentication-flow-methods.md b/cognito/latest/developerguide/amazon-cognito-user-pools-authentication-flow-methods.md index d475ac631..5e8beae41 100644 --- a//cognito/latest/developerguide/amazon-cognito-user-pools-authentication-flow-methods.md +++ b//cognito/latest/developerguide/amazon-cognito-user-pools-authentication-flow-methods.md @@ -315 +315 @@ Passwords can be lost or stolen. You might want to verify only that your users h -Passwordless authentication flows aren't compatible with required multi-factor authentication (MFA) in your user pool. If MFA is optional in your user pool, users who have activated MFA can't sign in with a passwordless first factor. Users who don't have an MFA preference in an MFA-optional user pool can sign in with passwordless factors. For more information, see [Things to know about user pool MFA](./user-pool-settings-mfa.html#user-pool-settings-mfa-prerequisites). +One-time password (OTP) authentication flows aren't compatible with required multi-factor authentication (MFA) in your user pool. Passkey authentication with user verification can satisfy MFA requirements when you set `FactorConfiguration` to `MULTI_FACTOR_WITH_USER_VERIFICATION`. If MFA is optional in your user pool, users who have activated MFA can't sign in with an OTP first factor. Users who don't have an MFA preference in an MFA-optional user pool can sign in with passwordless factors. For more information, see [Things to know about user pool MFA](./user-pool-settings-mfa.html#user-pool-settings-mfa-prerequisites). @@ -444 +444 @@ Passkeys are secure and impose a relatively low effort level on users. Passkey s -You might want to replace passwords with the thumbprint, face, or security-key authentication. This is _passkey_ or _WebAuthn_ authentication. It's common for application developers to permit users to enroll a biometric device after they first sign in with a password. With Amazon Cognito user pools, your application can configure this sign-in option for users. Passkey authentication isn't eligible for multi-factor authentication (MFA). +You might want to replace passwords with the thumbprint, face, or security-key authentication. This is _passkey_ or _WebAuthn_ authentication. It's common for application developers to permit users to enroll a biometric device after they first sign in with a password. With Amazon Cognito user pools, your application can configure this sign-in option for users. Passkey authentication can satisfy multi-factor authentication (MFA) requirements when your user pool has `FactorConfiguration` set to `MULTI_FACTOR_WITH_USER_VERIFICATION`. In this configuration, passkey authentication with user verification counts as multi-factor authentication. @@ -446 +446 @@ You might want to replace passwords with the thumbprint, face, or security-key a -Passwordless authentication flows aren't compatible with required multi-factor authentication (MFA) in your user pool. If MFA is optional in your user pool, users who have activated MFA can't sign in with a passwordless first factor. Users who don't have an MFA preference in an MFA-optional user pool can sign in with passwordless factors. For more information, see [Things to know about user pool MFA](./user-pool-settings-mfa.html#user-pool-settings-mfa-prerequisites). +One-time password (OTP) authentication flows aren't compatible with required multi-factor authentication (MFA) in your user pool. Passkey authentication with user verification can satisfy MFA requirements when you set `FactorConfiguration` to `MULTI_FACTOR_WITH_USER_VERIFICATION`. If MFA is optional in your user pool, users who have activated MFA can't sign in with an OTP first factor. Users who don't have an MFA preference in an MFA-optional user pool can sign in with passwordless factors. For more information, see [Things to know about user pool MFA](./user-pool-settings-mfa.html#user-pool-settings-mfa-prerequisites). @@ -537 +537,2 @@ Configure your user-verification preference and RP ID in the `WebAuthnConfigurat - "UserVerification": "preferred" + "UserVerification": "preferred", + "FactorConfiguration": "SINGLE_FACTOR" @@ -619 +620 @@ Amazon Cognito responds with a `WEB_AUTHN` challenge. Your application must resp -You can set up users who complete sign-in with a username-password flow to be prompted for additional verification with a one-time password from an email message, SMS message, or code-generating application. MFA is distinct from passwordless sign-in, a first authentication factor with one-time passwords or WebAuthn passkeys that doesn't include MFA. MFA in user pools is a challenge-response model, where a user first demonstrates they know the password, then they demonstrate that they have access to their registered second-factor device. +You can set up users who complete sign-in with a username-password flow to be prompted for additional verification with a one-time password from an email message, SMS message, or code-generating application. MFA is distinct from passwordless sign-in with one-time passwords. However, passkeys with user verification can satisfy MFA requirements when you configure `FactorConfiguration` as `MULTI_FACTOR_WITH_USER_VERIFICATION` in your user pool `WebAuthnConfiguration`. For password-based flows, MFA in user pools is a challenge-response model where a user first demonstrates they know the password, then demonstrates that they have access to their registered second-factor device.