Device not being tracked

[ivanovit]

Before opening, please confirm:

• I have searched for duplicate or closed issues and discussions.
• I have read the guide for submitting bug reports.
• I have done my best to include a minimal, self-contained set of instructions for consistently reproducing the issue.

JavaScript Framework

React, Not applicable

Amplify APIs

Authentication

Amplify Version

v6

Amplify Categories

auth

Backend

None

Environment information

System:
OS: Linux 6.10 Debian GNU/Linux 12 (bookworm) 12 (bookworm)
CPU: (10) arm64 unknown
Memory: 1.73 GB / 7.65 GB
Container: Yes
Shell: 5.2.15 - /bin/bash
Binaries:
Node: 22.12.0 - /usr/local/bin/node
Yarn: 1.22.22 - /usr/local/bin/yarn
npm: 10.9.0 - /usr/local/bin/npm
pnpm: 9.15.0 - /usr/local/share/npm-global/bin/pnpm
npmPackages:
...
@aws-amplify/auth: 6.13.3 => 6.13.3
aws-amplify: 6.15.3 => 6.15.3
...

Describe the bug

According to the documentation, when a device is not remembered, you’ll be asked for 2FA at the next sign-in, but the device will still be tracked. In our case, 2FA is indeed requested as expected during sign-in, but a new device key is issued, and Cognito treats the device as new.

During debugging, we noticed that the device_key is provided during the SRP workflow; however, it is not included when resolving the TOTP challenge. During our tests, we tried passing the device_key to the TOTP challenge as well. In that case, Cognito did not treat the device as new and did not return a new device key. The remaining issue, however, was that the LastAuthenticatedDate on the device was not updated.

Expected behavior

We need the user to be able to remember devices in order to skip MFA and to display a list of the devices they use(remembered and not_remembered). Treating every new login as a new device (when not_remembered) would flood the device list with duplicate entries for the same browser or device.

Reproduction steps

1. Sign in when MFA/TOTP is enabled:

const { isSignedIn, nextStep } = await signIn({
    username: <username>,
    password: <password>
});

2. Resolve the challenge by providing the code:

const { isSignedIn } = await confirmSignIn({
    challengeResponse: <code>
});

3. Fetch the devices

const devices = await fetchDevices()

Expected: When performing this operation multiple times on the same device, only one device should appear in the list.
Actual: Each login adds a new device to the list.

Code Snippet

// Put your code below this line.

Log output

// Put your logs below this line

aws-exports.js

No response

Manual configuration

No response

Additional configuration

No response

Mobile Device

No response

Mobile Operating System

No response

Mobile Browser

No response

Mobile Browser Version

No response

Additional information and screenshots

No response

[soberm]

Hi @ivanovit,

Thank you for creating this issue. We will look into that and get back to you as soon as we have more information or need additional details.

[soberm]

Hi @ivanovit,
I was able to reproduce this issue. We will let you know once a fix is available.

Thank you!