diff --git a/doc/sphinx/plugins/restricted/accountInfo.rst b/doc/sphinx/plugins/restricted/accountInfo.rst
index 3a3f392..ea078ee 100644
--- a/doc/sphinx/plugins/restricted/accountInfo.rst
+++ b/doc/sphinx/plugins/restricted/accountInfo.rst
@@ -59,6 +59,8 @@ Output example
   ~ - Additional TOTP authentication is not required for this account
   ~ - Additional TOTP authentication bypass is disabled for this account
   ~ - Additional TOTP authentication is disabled
+  ~ - PAM authentication bypass is disabled
+  ~ - Alternative authentication logic (allow both pubkey alone and PAM alone) is disabled
   ~ - MFA policy on personal accesses (using personal keys) on egress side is: password
 
   ~ Account PAM UNIX password information (used for password MFA):
diff --git a/doc/sphinx/plugins/restricted/accountModify.rst b/doc/sphinx/plugins/restricted/accountModify.rst
index 47538a1..dd56638 100644
--- a/doc/sphinx/plugins/restricted/accountModify.rst
+++ b/doc/sphinx/plugins/restricted/accountModify.rst
@@ -69,3 +69,10 @@ Modify an account configuration
 
    If enabled, this account can only use ``--osh`` commands, and can't connect anywhere through the bastion
 
+.. option:: --mfa-any yes|no                         
+
+   Control the ingress login requirements for pubkey and pam (when a password and/or TOTP is set).
+
+                                               When disabled, the user needs pubkey AND pam, this is the default.
+                                               When enabled, the user can authenticate with either pubkey OR pam.
+                                               If the account has no password/TOTP, this option has no effect, i.e: pubkey is used. Egress is not affected.