AWS Security ChangesHomeSearch

AWS cli documentation change

Service: cli · 2026-04-19 · Documentation medium

File: cli/latest/reference/cognito-idp/set-user-mfa-preference.md

Summary

Added web-authn-mfa-settings parameter documentation for configuring passkey MFA preferences at user level

Security assessment

This change adds documentation for a new parameter that allows users to enable/disable passkey MFA. It includes security considerations about requiring user verification and preventing account lockout by requiring another MFA method. This documents enhanced security features but doesn't fix a specific security issue.

Diff

diff --git a/cli/latest/reference/cognito-idp/set-user-mfa-preference.md b/cli/latest/reference/cognito-idp/set-user-mfa-preference.md
index 9275e19fb..d553e272d 100644
--- a//cli/latest/reference/cognito-idp/set-user-mfa-preference.md
+++ b//cli/latest/reference/cognito-idp/set-user-mfa-preference.md
@@ -15 +15 @@
-  * [AWS CLI 2.34.29 Command Reference](../../index.html) »
+  * [AWS CLI 2.34.32 Command Reference](../../index.html) »
@@ -76,0 +77 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/cognit
+    [--web-authn-mfa-settings <value>]
@@ -183,0 +185,22 @@ JSON Syntax:
+`--web-authn-mfa-settings` (structure)
+
+> User preferences for passkey MFA. Activates or deactivates passkey MFA for the user. When activated, passkey authentication requires user verification, and passkey sign-in is available when MFA is required. To activate this setting, the `FactorConfiguration` of your user pool `WebAuthnConfiguration` must be `MULTI_FACTOR_WITH_USER_VERIFICATION` . To activate this setting, your user pool must be in the [Essentials tier](https://docs.aws.amazon.com/cognito/latest/developerguide/feature-plans-features-essentials.html) or higher.
+> 
+> Enabled -> (boolean)
+>
+>> Specifies whether passkey MFA is activated for a user. When activated, the user’s passkey authentication requires user verification, and passkey sign-in is available when MFA is required. The user must also have at least one other MFA method such as SMS, TOTP, or email activated to prevent account lockout.
+
+Shorthand Syntax:
+    
+    
+    Enabled=boolean
+    
+
+JSON Syntax:
+    
+    
+    {
+      "Enabled": true|false
+    }
+    
+
@@ -343 +366 @@ None
-  * [AWS CLI 2.34.29 Command Reference](../../index.html) »
+  * [AWS CLI 2.34.32 Command Reference](../../index.html) »