AWS Cognito and empty device list

Hello,

I am using Cognito with TOTP. I have registered devices, TOTP functionality works, I get the TOTP popup with registered device which is linked to the user account, but I can't list devices registered during activation process. When I execute command to list devices, command returns empty list. Can You advise how this information can be collect ?

... $ aws cognito-idp list-devices --access-token e...2g { "Devices": [] }

https://docs.aws.amazon.com/cli/latest/reference/cognito-idp/list-devices.html

br Jacko

Topics

Security, Identity, & Compliance

Tags

Amazon Cognito

Language

English

Jacko

asked 2 years ago404 views

3 Answers

Newest
Most votes
Most comments

Are these answers helpful? Upvote the correct answer to help the community benefit from your knowledge.

Does your CLI user have sufficient IAM access to view the needed Cognito resources?

kyager

answered 2 years ago

Jacko
2 years ago
Hello,

As far I see my account should have permission to list devices under defined user pool. I have permissions for all cognito-idp , as follows.

"Statement": [ { "Effect": "Allow", "Action": [ .... "cognito-idp:*",

Is it possible that my issue is related to the following topic, where devices list supported only under SDK ? https://repost.aws/questions/QUBLMX7pNpR2ayKpP1VRCTLQ/remember-device-to-suppress-mfa-challenge-using-cognito-hosted-ui

Hello,

I don't' get any errors regarding permissions issue, so I didn't considered it may be the problem. Just in case which IAM access should be valid for these operations ?

br Jacko

Jacko

answered 2 years ago

kyager
2 years ago
AWS is pretty bad at giving permission errorsand sometimes doesn't even tell you you're missing them. I don't know if thats the actual issue in question, but it's usually the first place I check when troubleshooting things like this.

I would check to see if you have cognito-idp:ListDevices there may be other permissions that are needed, that may require some research on your end, such as cognito-idp:AdminListDevices.

Please confirm if you have device tracking enabled in your user pool. YOu can use it to suppress MFA on remembered. This is not enabled by default. Please see below:

https://aws.amazon.com/blogs/mobile/tracking-and-remembering-devices-using-amazon-cognito-your-user-pools/

Pravo

answered 2 years ago

Jacko
2 years ago
Yes I do have user's devices set Always remember, but device list is not updated either after successful TOTP device registration or after TOTP successfull authentication. I just wonder at this point if this feature is actually limited only to track devices from the MFA using SMS option ? Has anyone got an example of the User pool setup where devices list is working and device key is saved under devices .

Relevant content

Cognito set user MFA required when using TOTP only
Pieter Jordaan
asked 2 years ago
Cognito error for MFA Totp
Irina
asked 7 months ago
Not able to Enable and Verfiy TOTP based MFA token using Cognito
Nirmal Ram
asked 2 years ago
Cognito TOTP MFA issue
ktzevelekidis
asked 4 years ago
How do I increase security in Amazon Cognito by using MFA settings for users and user pools?
AWS OFFICIALUpdated a year ago
How do I use remembered devices in my Amazon Cognito user pool?
AWS OFFICIALUpdated 8 months ago
How do I activate TOTP multi-factor authentication for Amazon Cognito user pools?
AWS OFFICIALUpdated 2 years ago
How do I troubleshoot MFA errors in my Amazon Cognito user pool?
AWS OFFICIALUpdated a year ago
Should I use the AWS IoT Device SDKs or other MQTT Clients?
EXPERT
David Malone
published a year ago
Choosing between FreeRTOS, Greengrass, ExpressLink, Device Client and the IoT Device SDKs
EXPERT
Greg_B
published 7 months ago