AWS Security ChangesHomeSearch

AWS cli documentation change

Service: cli · 2026-04-19 · Documentation medium

File: cli/latest/reference/cognito-idp/admin-set-user-mfa-preference.md

Summary

Added new --web-authn-mfa-settings parameter for passkey MFA configuration and updated AWS CLI version reference

Security assessment

This change adds documentation for a new security feature (passkey MFA) but does not address a specific security vulnerability. The documentation explains how to activate/deactivate passkey MFA for users, which requires user verification and helps prevent account lockout by requiring at least one other MFA method. This enhances authentication security but is not a response to a specific security incident.

Diff

diff --git a/cli/latest/reference/cognito-idp/admin-set-user-mfa-preference.md b/cli/latest/reference/cognito-idp/admin-set-user-mfa-preference.md
index 9cfd1e2aa..bc6f2c895 100644
--- a//cli/latest/reference/cognito-idp/admin-set-user-mfa-preference.md
+++ b//cli/latest/reference/cognito-idp/admin-set-user-mfa-preference.md
@@ -15 +15 @@
-  * [AWS CLI 2.34.29 Command Reference](../../index.html) »
+  * [AWS CLI 2.34.32 Command Reference](../../index.html) »
@@ -81,0 +82 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/cognit
+    [--web-authn-mfa-settings <value>]
@@ -189,0 +191,22 @@ JSON Syntax:
+`--web-authn-mfa-settings` (structure)
+
+> User preferences for passkey MFA. Activates or deactivates passkey MFA for the user. When activated, passkey authentication requires user verification, and passkey sign-in is available when MFA is required. To activate this setting, the `FactorConfiguration` of your user pool `WebAuthnConfiguration` must be `MULTI_FACTOR_WITH_USER_VERIFICATION` . To activate this setting, your user pool must be in the [Essentials tier](https://docs.aws.amazon.com/cognito/latest/developerguide/feature-plans-features-essentials.html) or higher.
+> 
+> Enabled -> (boolean)
+>
+>> Specifies whether passkey MFA is activated for a user. When activated, the user’s passkey authentication requires user verification, and passkey sign-in is available when MFA is required. The user must also have at least one other MFA method such as SMS, TOTP, or email activated to prevent account lockout.
+
+Shorthand Syntax:
+    
+    
+    Enabled=boolean
+    
+
+JSON Syntax:
+    
+    
+    {
+      "Enabled": true|false
+    }
+    
+
@@ -357 +380 @@ None
-  * [AWS CLI 2.34.29 Command Reference](../../index.html) »
+  * [AWS CLI 2.34.32 Command Reference](../../index.html) »