AWS Security ChangesHomeSearch

AWS cognito documentation change

Service: cognito · 2026-03-19 · Documentation low

File: cognito/latest/developerguide/user-pool-settings-mfa.md

Summary

Updated MFA documentation to clarify that passkeys with user verification can satisfy MFA requirements when configured with MULTI_FACTOR_WITH_USER_VERIFICATION, and updated related configuration options

Security assessment

This change documents a security feature enhancement allowing passkeys to serve as MFA. It provides important documentation for secure authentication configuration but doesn't address a specific security vulnerability or incident.

Diff

diff --git a/cognito/latest/developerguide/user-pool-settings-mfa.md b/cognito/latest/developerguide/user-pool-settings-mfa.md
index 64255c799..35d10eba0 100644
--- a//cognito/latest/developerguide/user-pool-settings-mfa.md
+++ b//cognito/latest/developerguide/user-pool-settings-mfa.md
@@ -44 +44 @@ Before you set up MFA, consider the following:
-  * Users can either have MFA _or_ sign in with passwordless factors.
+  * Users can either have MFA _or_ sign in with passwordless factors, with one exception: passkeys with user verification can satisfy MFA requirements when you set `FactorConfiguration` to `MULTI_FACTOR_WITH_USER_VERIFICATION` in your user pool `WebAuthnConfiguration`.
@@ -46 +46 @@ Before you set up MFA, consider the following:
-    * You can't set MFA to required in user pools that support [one-time passwords](./amazon-cognito-user-pools-authentication-flow-methods.html#amazon-cognito-user-pools-authentication-flow-methods-passwordless) or [passkeys](./amazon-cognito-user-pools-authentication-flow-methods.html#amazon-cognito-user-pools-authentication-flow-methods-passkey).
+    * You can't set MFA to required in user pools that support [one-time passwords](./amazon-cognito-user-pools-authentication-flow-methods.html#amazon-cognito-user-pools-authentication-flow-methods-passwordless).
@@ -48 +48 @@ Before you set up MFA, consider the following:
-    * You can't add `WEB_AUTHN`, `EMAIL_OTP`, or `SMS_OTP` to `AllowedFirstAuthFactors` when MFA is required in your user pool. In the Amazon Cognito console, you can't edit **Options for choice-based sign-in** to include passwordless factors.
+    * You can't add `EMAIL_OTP` or `SMS_OTP` to `AllowedFirstAuthFactors` when MFA is required in your user pool. You can add `WEB_AUTHN` when `FactorConfiguration` is set to `MULTI_FACTOR_WITH_USER_VERIFICATION`.
@@ -61,0 +62,2 @@ Optional | Not configured | Yes | No | Yes
+Optional (with passkey MFA enabled) | Passkey MFA configured | Yes | Yes (after password sign-in) | Yes (passkey with user verification satisfies MFA)  
+Required (with passkey MFA enabled) | Passkey MFA configured | Yes | Yes (after password sign-in) | Yes (passkey with user verification satisfies MFA)