AWS cli documentation change
Summary
Updated WebAuthn configuration documentation and added FactorConfiguration parameter for passkey MFA settings at pool level
Security assessment
This change adds documentation for configuring passkey authentication as MFA at the user pool level. It introduces a new FactorConfiguration parameter that determines whether passkeys with user verification can satisfy MFA requirements. This enhances authentication security documentation but doesn't address a specific security vulnerability.
Diff
diff --git a/cli/latest/reference/cognito-idp/set-user-pool-mfa-config.md b/cli/latest/reference/cognito-idp/set-user-pool-mfa-config.md index 28818a7df..f698462df 100644 --- a//cli/latest/reference/cognito-idp/set-user-pool-mfa-config.md +++ b//cli/latest/reference/cognito-idp/set-user-pool-mfa-config.md @@ -15 +15 @@ - * [AWS CLI 2.34.29 Command Reference](../../index.html) » + * [AWS CLI 2.34.32 Command Reference](../../index.html) » @@ -275 +275 @@ JSON Syntax: -> The configuration of your user pool for passkey, or WebAuthn, authentication and registration. You can set this configuration independent of the MFA configuration options in this operation. +> The configuration of your user pool for passkey, or WebAuthn, authentication and registration. Includes relying-party configuration, user-verification requirements, and whether passkeys can satisfy MFA requirements. @@ -305,0 +306,11 @@ JSON Syntax: +> +> FactorConfiguration -> (string) +> +>> Sets whether passkeys can be used as multi-factor authentication (MFA). When set to `MULTI_FACTOR_WITH_USER_VERIFICATION` , passkey authentication with user verification satisfies MFA requirements. When set to `SINGLE_FACTOR` or not set, passkeys are a single authentication factor. To activate this setting, your user pool must be in the [Essentials tier](https://docs.aws.amazon.com/cognito/latest/developerguide/feature-plans-features-essentials.html) or higher. +>> +>> Possible values: +>> +>> * `SINGLE_FACTOR` +>> * `MULTI_FACTOR_WITH_USER_VERIFICATION` +>> + @@ -310 +321 @@ Shorthand Syntax: - RelyingPartyId=string,UserVerification=string + RelyingPartyId=string,UserVerification=string,FactorConfiguration=string @@ -318 +329,2 @@ JSON Syntax: - "UserVerification": "required"|"preferred" + "UserVerification": "required"|"preferred", + "FactorConfiguration": "SINGLE_FACTOR"|"MULTI_FACTOR_WITH_USER_VERIFICATION" @@ -596 +608 @@ WebAuthnConfiguration -> (structure) -> The configuration of your user pool for passkey, or WebAuthn, sign-in with authenticators like biometric and security-key devices. Includes relying-party configuration and settings for user-verification requirements. +> The configuration of your user pool for passkey, or WebAuthn, sign-in with authenticators such as biometric and security-key devices. Includes relying-party configuration and settings for user-verification requirements. @@ -626,0 +639,11 @@ WebAuthnConfiguration -> (structure) +> +> FactorConfiguration -> (string) +> +>> Sets whether passkeys can be used as multi-factor authentication (MFA). When set to `MULTI_FACTOR_WITH_USER_VERIFICATION` , passkey authentication with user verification satisfies MFA requirements. When set to `SINGLE_FACTOR` or not set, passkeys are a single authentication factor. To activate this setting, your user pool must be in the [Essentials tier](https://docs.aws.amazon.com/cognito/latest/developerguide/feature-plans-features-essentials.html) or higher. +>> +>> Possible values: +>> +>> * `SINGLE_FACTOR` +>> * `MULTI_FACTOR_WITH_USER_VERIFICATION` +>> + @@ -638 +661 @@ WebAuthnConfiguration -> (structure) - * [AWS CLI 2.34.29 Command Reference](../../index.html) » + * [AWS CLI 2.34.32 Command Reference](../../index.html) »