Specifying user pool device tracking settings - Amazon Cognito

Specifying user pool device tracking settings

As a way of providing additional security, you can track devices that users have logged in to. This topic describes how to add device tracking to your Amazon Cognito user pools in the AWS Management Console.

Setting up remembered devices

With Amazon Cognito user pools, you can choose to have Amazon Cognito remember devices used to access your application and associate these remembered devices with your application's users in a user pool. You can also choose to use remembered devices to stop sending codes to your users when you have set up multi-factor authentication (MFA). You must use the USER_SRP_AUTH authentication flow to use the device tracking feature. To use remembered devices to replace MFA, you must also enable MFA for your user pool.

Configure device remembering in the Sign-in experience tab of your user pool, under Device tracking. When setting up the remembered devices functionality through the Amazon Cognito console, you have three options: Always, User Opt-In, and No.

  • Don't remember (default) – Devices are not remembered.

  • Always remember – Every device used by your application's users is remembered.

  • User Opt-In – Your user's device is only remembered if that user opts to remember the device.

If either Always remember or User Opt-In is selected, a device identifier (key and secret) will be assigned to each device the first time a user signs in with that device. This key will not be used for anything other than identifying the device, but it will be tracked by the service.

If you select Always remember, Amazon Cognito will use the device identifier (key and secret) to authenticate the device on every user sign-in with that device as part of the user authentication flow.

If you select User Opt-In, you can remember devices only when your application's users opt to do so. When a user signs in with a new device, the response from the request to initiate tracking indicates whether the user should be prompted about remembering their device. You must create the user interface to prompt users. If the user opts to have the device remembered, the device status is updated with a 'remembered' state.

The AWS Mobile SDKs have additional APIs to see remembered devices (ListDevices, GetDevice), mark a device as remembered or not remembered (UpdateDeviceStatus), and stop tracking a device (ForgetDevice). In the REST API, there are additional administrator versions of these APIs that have elevated privileges and work on any user. They have API names such as AdminListDevices, AdminGetDevice, and so on. They are not exposed through the SDKs.

Using remembered devices to suppress multi factor authentication (MFA)

If you have selected either Always remember or User Opt-In, you also can suppress MFA challenges on remembered devices for the users of your application. To use this feature, you must enable MFA for your user pool. For more information, see Adding MFA to a user pool.


If the device remembering feature is set to Always and Allow users to bypass MFA for trusted devices is set to Yes, then the MFA settings for medium/high risks in risk-based MFA are ignored.