AWS Security ChangesHomeSearch

AWS cognito documentation change

Service: cognito · 2026-03-19 · Documentation low

File: cognito/latest/developerguide/authentication.md

Summary

Updated documentation about MFA support for passwordless authentication, clarifying that OTP-based sign-in doesn't support MFA but passkeys with user verification can satisfy MFA requirements

Security assessment

This change clarifies security feature behavior but doesn't address a specific security issue. It provides more accurate documentation about which authentication methods support MFA, which is important for secure authentication design.

Diff

diff --git a/cognito/latest/developerguide/authentication.md b/cognito/latest/developerguide/authentication.md
index 9676a2fc2..867ee5938 100644
--- a//cognito/latest/developerguide/authentication.md
+++ b//cognito/latest/developerguide/authentication.md
@@ -135 +135 @@ Activation of passwordless sign-in with [one-time passwords](./amazon-cognito-us
-  5. Users who sign in with a passwordless first factor can't add a [multi-factor authentication (MFA)](./user-pool-settings-mfa.html) factor to their session. Only password-based authentication flows support MFA.
+  5. Users who sign in with a one-time password (OTP) first factor can't add a [multi-factor authentication (MFA)](./user-pool-settings-mfa.html) factor to their session. Passkeys with user verification can satisfy MFA requirements when configured with `MULTI_FACTOR_WITH_USER_VERIFICATION`.