AWS cognito documentation change
Summary
Updated documentation about MFA support for passwordless authentication, clarifying that OTP-based sign-in doesn't support MFA but passkeys with user verification can satisfy MFA requirements
Security assessment
This change clarifies security feature behavior but doesn't address a specific security issue. It provides more accurate documentation about which authentication methods support MFA, which is important for secure authentication design.
Diff
diff --git a/cognito/latest/developerguide/authentication.md b/cognito/latest/developerguide/authentication.md index 9676a2fc2..867ee5938 100644 --- a//cognito/latest/developerguide/authentication.md +++ b//cognito/latest/developerguide/authentication.md @@ -135 +135 @@ Activation of passwordless sign-in with [one-time passwords](./amazon-cognito-us - 5. Users who sign in with a passwordless first factor can't add a [multi-factor authentication (MFA)](./user-pool-settings-mfa.html) factor to their session. Only password-based authentication flows support MFA. + 5. Users who sign in with a one-time password (OTP) first factor can't add a [multi-factor authentication (MFA)](./user-pool-settings-mfa.html) factor to their session. Passkeys with user verification can satisfy MFA requirements when configured with `MULTI_FACTOR_WITH_USER_VERIFICATION`.