From c615b28f3ed7d1ec3dd2c89e8bbd8c2b8481854a Mon Sep 17 00:00:00 2001
From: Prakhar Gupta <prakhargupta089@gmail.com>
Date: Sun, 19 Apr 2026 01:32:31 +0530
Subject: [PATCH] docs(auth): clarify Webauthn device-level security behaviour

---
 .../manage-users/manage-webauthn-credentials/index.mdx | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/src/pages/[platform]/build-a-backend/auth/manage-users/manage-webauthn-credentials/index.mdx b/src/pages/[platform]/build-a-backend/auth/manage-users/manage-webauthn-credentials/index.mdx
index 644b40d2bb5..45f862e08b3 100644
--- a/src/pages/[platform]/build-a-backend/auth/manage-users/manage-webauthn-credentials/index.mdx
+++ b/src/pages/[platform]/build-a-backend/auth/manage-users/manage-webauthn-credentials/index.mdx
@@ -153,6 +153,16 @@ func associateWebAuthNCredentials() -> AnyCancellable {
 
 The user will be prompted to register a passkey using their local authenticator. Amplify will then associate that passkey with Cognito.
 
+<Callout>
+
+Passkey registration relies on the browser and operating system for enforcing user verification (such as PIN, password, or biometrics).
+
+If a device does not have a secure screen lock configured, the browser/OS may block the registration flow or prompt the user to set it up before proceeding.
+
+Amplify and Cognito do not override or bypass these device-level security checks.
+
+</Callout>
+
 ## List WebAuthn credentials
 
 You can list registered passkeys using the following API: