diff --git a/packages/aws-cdk-lib/aws-cognito/lib/user-pool.ts b/packages/aws-cdk-lib/aws-cognito/lib/user-pool.ts
index dee3dbbfbfe3e..cea420ece7d3a 100644
--- a/packages/aws-cdk-lib/aws-cognito/lib/user-pool.ts
+++ b/packages/aws-cdk-lib/aws-cognito/lib/user-pool.ts
@@ -1362,7 +1362,9 @@ export class UserPool extends UserPoolBase {
       return undefined;
     }
 
-    // TODO: validate whether the feature plan is not Lite
+    if (props.featurePlan === FeaturePlan.LITE) {
+      throw new Error('To enable passwordless sign-in, set `featurePlan` to `FeaturePlan.ESSENTIALS` or `FeaturePlan.PLUS`.');
+    }
 
     const allowedFirstAuthFactors = ['PASSWORD'];
     if (props.allowedFirstAuthFactors.emailOtp) {
diff --git a/packages/aws-cdk-lib/aws-cognito/test/user-pool.test.ts b/packages/aws-cdk-lib/aws-cognito/test/user-pool.test.ts
index d65b45626c3b1..f7677a6c33813 100644
--- a/packages/aws-cdk-lib/aws-cognito/test/user-pool.test.ts
+++ b/packages/aws-cdk-lib/aws-cognito/test/user-pool.test.ts
@@ -2128,7 +2128,18 @@ describe('User Pool', () => {
     });
   });
 
-  // TODO: test('allowFirstAuthFactors throws when the feature plan is Lite')
+  test('allowFirstAuthFactors throws when the feature plan is Lite', () => {
+    // GIVEN
+    const stack = new Stack();
+
+    // WHEN
+    expect(() => {
+      new UserPool(stack, 'Pool', {
+        allowedFirstAuthFactors: { emailOtp: true },
+        featurePlan: FeaturePlan.LITE,
+      });
+    }).toThrow('To enable passwordless sign-in, set `featurePlan` to `FeaturePlan.ESSENTIALS` or `FeaturePlan.PLUS`.');
+  });
 
   test('passkeyRelyingPartyId is configured', () => {
     // GIVEN