diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-client-explicit-props.js.snapshot/integ-user-pool-client-explicit-props.template.json b/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-client-explicit-props.js.snapshot/integ-user-pool-client-explicit-props.template.json
index 27a0b8be4bc3d..1f19d811f5833 100644
--- a/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-client-explicit-props.js.snapshot/integ-user-pool-client-explicit-props.template.json
+++ b/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-client-explicit-props.js.snapshot/integ-user-pool-client-explicit-props.template.json
@@ -66,6 +66,7 @@
      "ALLOW_ADMIN_USER_PASSWORD_AUTH",
      "ALLOW_CUSTOM_AUTH",
      "ALLOW_USER_SRP_AUTH",
+     "ALLOW_USER_AUTH",
      "ALLOW_REFRESH_TOKEN_AUTH"
     ],
     "GenerateSecret": true,
diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-client-explicit-props.js.snapshot/tree.json b/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-client-explicit-props.js.snapshot/tree.json
index 26412cd2cff18..3bd8520772679 100644
--- a/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-client-explicit-props.js.snapshot/tree.json
+++ b/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-client-explicit-props.js.snapshot/tree.json
@@ -91,6 +91,7 @@
                           "ALLOW_ADMIN_USER_PASSWORD_AUTH",
                           "ALLOW_CUSTOM_AUTH",
                           "ALLOW_USER_SRP_AUTH",
+                          "ALLOW_USER_AUTH",
                           "ALLOW_REFRESH_TOKEN_AUTH"
                         ],
                         "generateSecret": true,
diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-client-explicit-props.ts b/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-client-explicit-props.ts
index 89da361debf04..162610f359c31 100644
--- a/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-client-explicit-props.ts
+++ b/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-client-explicit-props.ts
@@ -20,6 +20,7 @@ const client = userpool.addClient('myuserpoolclient', {
     custom: true,
     userPassword: true,
     userSrp: true,
+    user: true,
   },
   generateSecret: true,
   oAuth: {
diff --git a/packages/aws-cdk-lib/aws-cognito/README.md b/packages/aws-cdk-lib/aws-cognito/README.md
index 768a7cb24108b..e59370ef2d7cd 100644
--- a/packages/aws-cdk-lib/aws-cognito/README.md
+++ b/packages/aws-cdk-lib/aws-cognito/README.md
@@ -699,6 +699,9 @@ Custom authentication protocols can be configured by setting the `custom` proper
 functions for the corresponding user pool [triggers](#lambda-triggers). Learn more at [Custom Authentication
 Flow](https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-authentication-flow.html#amazon-cognito-user-pools-custom-authentication-flow).
 
+Choice-based authentication can be configured by setting the `user` property under `authFlow`. This enables the
+`USER_AUTH` authentication flow. Learn more at [Choice-based authentication](https://docs.aws.amazon.com/cognito/latest/developerguide/authentication-flows-selection-sdk.html#authentication-flows-selection-choice).
+
 In addition to these authentication mechanisms, Cognito user pools also support using OAuth 2.0 framework for
 authenticating users. User pool clients can be configured with OAuth 2.0 authorization flows and scopes. Learn more
 about the [OAuth 2.0 authorization framework](https://tools.ietf.org/html/rfc6749) and [Cognito user pool's
diff --git a/packages/aws-cdk-lib/aws-cognito/lib/user-pool-client.ts b/packages/aws-cdk-lib/aws-cognito/lib/user-pool-client.ts
index d1e7ad218c1f5..d92109c73b7a8 100644
--- a/packages/aws-cdk-lib/aws-cognito/lib/user-pool-client.ts
+++ b/packages/aws-cdk-lib/aws-cognito/lib/user-pool-client.ts
@@ -34,6 +34,12 @@ export interface AuthFlow {
    * @default false
    */
   readonly userSrp?: boolean;
+
+  /**
+   * Enable Choice-based authentication
+   * @default false
+   */
+  readonly user?: boolean;
 }
 
 /**
@@ -525,6 +531,7 @@ export class UserPoolClient extends Resource implements IUserPoolClient {
     if (props.authFlows.adminUserPassword) { authFlows.push('ALLOW_ADMIN_USER_PASSWORD_AUTH'); }
     if (props.authFlows.custom) { authFlows.push('ALLOW_CUSTOM_AUTH'); }
     if (props.authFlows.userSrp) { authFlows.push('ALLOW_USER_SRP_AUTH'); }
+    if (props.authFlows.user) { authFlows.push('ALLOW_USER_AUTH'); }
 
     // refreshToken should always be allowed if authFlows are present
     authFlows.push('ALLOW_REFRESH_TOKEN_AUTH');
diff --git a/packages/aws-cdk-lib/aws-cognito/test/user-pool-client.test.ts b/packages/aws-cdk-lib/aws-cognito/test/user-pool-client.test.ts
index 751b722b6c2c7..49f44cccac3c2 100644
--- a/packages/aws-cdk-lib/aws-cognito/test/user-pool-client.test.ts
+++ b/packages/aws-cdk-lib/aws-cognito/test/user-pool-client.test.ts
@@ -255,6 +255,7 @@ describe('User Pool Client', () => {
         custom: true,
         userPassword: true,
         userSrp: true,
+        user: true,
       },
     });
 
@@ -264,6 +265,7 @@ describe('User Pool Client', () => {
         'ALLOW_ADMIN_USER_PASSWORD_AUTH',
         'ALLOW_CUSTOM_AUTH',
         'ALLOW_USER_SRP_AUTH',
+        'ALLOW_USER_AUTH',
         'ALLOW_REFRESH_TOKEN_AUTH',
       ],
     });
@@ -281,6 +283,7 @@ describe('User Pool Client', () => {
         custom: false,
         userPassword: false,
         userSrp: false,
+        user: false,
       },
     });