AWS cognito documentation change
Summary
Updated MFA documentation to clarify that passkeys with user verification can satisfy MFA requirements when configured with MULTI_FACTOR_WITH_USER_VERIFICATION, and updated related configuration options
Security assessment
This change documents a security feature enhancement allowing passkeys to serve as MFA. It provides important documentation for secure authentication configuration but doesn't address a specific security vulnerability or incident.
Diff
diff --git a/cognito/latest/developerguide/user-pool-settings-mfa.md b/cognito/latest/developerguide/user-pool-settings-mfa.md index 64255c799..35d10eba0 100644 --- a//cognito/latest/developerguide/user-pool-settings-mfa.md +++ b//cognito/latest/developerguide/user-pool-settings-mfa.md @@ -44 +44 @@ Before you set up MFA, consider the following: - * Users can either have MFA _or_ sign in with passwordless factors. + * Users can either have MFA _or_ sign in with passwordless factors, with one exception: passkeys with user verification can satisfy MFA requirements when you set `FactorConfiguration` to `MULTI_FACTOR_WITH_USER_VERIFICATION` in your user pool `WebAuthnConfiguration`. @@ -46 +46 @@ Before you set up MFA, consider the following: - * You can't set MFA to required in user pools that support [one-time passwords](./amazon-cognito-user-pools-authentication-flow-methods.html#amazon-cognito-user-pools-authentication-flow-methods-passwordless) or [passkeys](./amazon-cognito-user-pools-authentication-flow-methods.html#amazon-cognito-user-pools-authentication-flow-methods-passkey). + * You can't set MFA to required in user pools that support [one-time passwords](./amazon-cognito-user-pools-authentication-flow-methods.html#amazon-cognito-user-pools-authentication-flow-methods-passwordless). @@ -48 +48 @@ Before you set up MFA, consider the following: - * You can't add `WEB_AUTHN`, `EMAIL_OTP`, or `SMS_OTP` to `AllowedFirstAuthFactors` when MFA is required in your user pool. In the Amazon Cognito console, you can't edit **Options for choice-based sign-in** to include passwordless factors. + * You can't add `EMAIL_OTP` or `SMS_OTP` to `AllowedFirstAuthFactors` when MFA is required in your user pool. You can add `WEB_AUTHN` when `FactorConfiguration` is set to `MULTI_FACTOR_WITH_USER_VERIFICATION`. @@ -61,0 +62,2 @@ Optional | Not configured | Yes | No | Yes +Optional (with passkey MFA enabled) | Passkey MFA configured | Yes | Yes (after password sign-in) | Yes (passkey with user verification satisfies MFA) +Required (with passkey MFA enabled) | Passkey MFA configured | Yes | Yes (after password sign-in) | Yes (passkey with user verification satisfies MFA)