AWS Security ChangesHomeSearch

AWS cli documentation change

Service: cli · 2026-04-19 · Documentation medium

File: cli/latest/reference/cognito-idp/get-user-pool-mfa-config.md

Summary

Updated WebAuthn configuration documentation to clarify passkey MFA capabilities and added FactorConfiguration field documentation

Security assessment

This change adds documentation about passkey authentication security features, specifically how passkeys can be configured as multi-factor authentication (MFA) with user verification. It documents a new FactorConfiguration parameter that controls whether passkeys satisfy MFA requirements, which enhances authentication security but doesn't address a specific security vulnerability.

Diff

diff --git a/cli/latest/reference/cognito-idp/get-user-pool-mfa-config.md b/cli/latest/reference/cognito-idp/get-user-pool-mfa-config.md
index 868bc384b..5467086b0 100644
--- a//cli/latest/reference/cognito-idp/get-user-pool-mfa-config.md
+++ b//cli/latest/reference/cognito-idp/get-user-pool-mfa-config.md
@@ -15 +15 @@
-  * [AWS CLI 2.34.29 Command Reference](../../index.html) »
+  * [AWS CLI 2.34.32 Command Reference](../../index.html) »
@@ -393 +393 @@ WebAuthnConfiguration -> (structure)
-> Shows user pool configuration for sign-in with passkey authenticators like biometric devices and security keys. Passkeys are not eligible MFA factors. They are instead an eligible primary sign-in factor for [choice-based authentication](https://docs.aws.amazon.com/cognito/latest/developerguide/authentication-flows-selection-sdk.html#authentication-flows-selection-choice) , or the `USER_AUTH` flow.
+> Shows user pool configuration for sign-in with passkey authenticators such as biometric devices and security keys. Includes relying-party configuration, user-verification requirements, and whether passkeys can satisfy MFA requirements.
@@ -423,0 +424,11 @@ WebAuthnConfiguration -> (structure)
+> 
+> FactorConfiguration -> (string)
+>
+>> Sets whether passkeys can be used as multi-factor authentication (MFA). When set to `MULTI_FACTOR_WITH_USER_VERIFICATION` , passkey authentication with user verification satisfies MFA requirements. When set to `SINGLE_FACTOR` or not set, passkeys are a single authentication factor. To activate this setting, your user pool must be in the [Essentials tier](https://docs.aws.amazon.com/cognito/latest/developerguide/feature-plans-features-essentials.html) or higher.
+>> 
+>> Possible values:
+>> 
+>>   * `SINGLE_FACTOR`
+>>   * `MULTI_FACTOR_WITH_USER_VERIFICATION`
+>> 
+
@@ -435 +446 @@ WebAuthnConfiguration -> (structure)
-  * [AWS CLI 2.34.29 Command Reference](../../index.html) »
+  * [AWS CLI 2.34.32 Command Reference](../../index.html) »