AWS Security ChangesHomeSearch

AWS cognito documentation change

Service: cognito · 2026-03-19 · Documentation low

File: cognito/latest/developerguide/troubleshooting.md

Summary

Clarified MFA limitations for OTP authentication and added information about passkeys satisfying MFA requirements with user verification

Security assessment

This provides more accurate documentation about authentication security features. It clarifies which passwordless methods support MFA, which is important for secure authentication design but doesn't address a specific security vulnerability.

Diff

diff --git a/cognito/latest/developerguide/troubleshooting.md b/cognito/latest/developerguide/troubleshooting.md
index 56167c227..ac9d9119a 100644
--- a//cognito/latest/developerguide/troubleshooting.md
+++ b//cognito/latest/developerguide/troubleshooting.md
@@ -276 +276 @@ For more information, see [Adding MFA to a user pool](./user-pool-settings-mfa.h
-Users who sign in with passwordless authentication methods or passkeys cannot add or use multi-factor authentication.
+Users who sign in with one-time password (OTP) authentication methods cannot add or use multi-factor authentication.
@@ -281 +281 @@ Users who sign in with passwordless authentication methods or passkeys cannot ad
-This is an intended limitation. You can configure your user pool so that users have MFA or sign in with passwordless factors, but not both. MFA is only available for password-based authentication flows.
+OTP sign-in flows don't support MFA. However, passkey authentication with user verification can satisfy MFA requirements. Set `FactorConfiguration` to `MULTI_FACTOR_WITH_USER_VERIFICATION` in your user pool `WebAuthnConfiguration` to allow passkeys to count as multi-factor authentication.