Cognito ConfirmDevice `Invalid device key given` when logging in with USER_SRP_AUTH + MFA

Question

Hello

I found a strange behavior with the `ConfirmDevice` api.

When using the `USER_SRP_AUTH` flow without any `MFA` challenge, it is possible to call the `ConfirmDevice` API.

Though, if the pool requires MFA, or the user has configured MFA, then the user will need to pass an intermediate MFA challenge. Then, the `ConfirmDevice` api always returns `Invalid device key given` error.

I've tried with multiple permutations without success:
1. `InitiateAuth` with `USER_SRP_AUTH` / `USER_PASSWORD_AUTH`
2. `AdminIntiateAuth`/ `InitiateAuth`
3. `AdminRespondToAuthChallenge` / `RespondToAuthChallenge`
4. Confidential / Public client
5. MFA Required / Optional (it will work when mfa=optional and user didn't setup MFA)
6. Device tracking opt-in/always
7. Adaptive security (will work when adaptive security bypasses MFA based on config/risk)

So it looks like the `AccessToken` obtained from an auth flow that included intermediate challenges (e.g. `SOFTWARE_TOKEN_MFA`) is not allowed to call the `ConfirmDevice` api. The only way to successfully call this api is if there is only the `PASSWORD_VERIFIER` challenge in the auth flow.

It doesn't look like the expected behavior. I would expect that I can still confirm a device even (especially?) after passing the `PASSWORD_VERIFIER` and! `SOFTWARE_TOKEN_MFA` challenge.

Here is a minimal reproduction: https://gist.github.com/ludydoo/9fef0858e63b79275342a2000bc68560

When the user doesn't have MFA:

```
Starting Cognito SRP CLI...
✔ Cognito Client ID: XXXXXX
✔ Cognito Client Secret: XXXXXX
✔ Cognito User Pool ID: us-east-1_XXXXXX
✔ Email: XXXXXX@BLA.com
✔ Password: XXXXXXXXX
Initiating auth with Cognito. AuthFlow: USER_SRP_AUTH
Handling challenge: PASSWORD_VERIFIER
New device metadata obtained
Device Key: XXXXXX
Device Group Key: XXXXXX
User confirmation necessary
Do you want to remember this device?: y
All done!
Access Token:
```

When the user has MFA:

```
Starting Cognito SRP CLI...
✔ Cognito Client ID: XXXXXXX
✔ Cognito Client Secret: XXXXXXX
✔ Cognito User Pool ID: us-east-1_XXXXXXXXX
✔ Email: XXXXXX@BLA.com
✔ Password: XXXXXXXXX
Initiating auth with Cognito. AuthFlow: USER_SRP_AUTH
Handling challenge: PASSWORD_VERIFIER
Handling challenge: SOFTWARE_TOKEN_MFA
✔ MFA Code: XXXXXXX
New device metadata obtained
Device Key: us-east-XXXXXXX
Device Group Key: -XXXXXXX
operation error Cognito Identity Provider: ConfirmDevice, https response error StatusCode: 400, RequestID: 0c96651d-bdc9-4f2b-adc1-7407f77827a7, InvalidParameterException: Invalid device key given.
```

Answer

Alright. Here is a *major* footgunnery, found after 1 week of headscratching:

After initiating auth with `USER_SRP_AUTH`, cognito will respond with `PASSWORD_VERIFIER`, the `response.ChallengeParameters` will include `USERNAME` and `USERNAME_FOR_SRP`.

For me, both have the same value. Probably because I just use email. Anyways, I didn't use those values, and simply used `USERNAME: ` in the next `RespondToAuthChallenges`.

This `USERNAME` (or `USERNAME_FOR_SRP`?) returned by the `PASSWORD_VERIFIER/DEVICE_PASSWORD_VERIFIER` **must** be used as the `USERNAME` in the successive `RespondToAuthChallenge`.

If it is not used, the tokens will still be issued (!), but, it will not be possible to call the `ConfirmDevice` api.

I am a bit surprised that the error messages were not more helpful though, and also surprised that I could still pass the MFA challenge by using email/username(guid) interchangeably.

Question now is
- Why does Cognito allows using `email` as USERNAME in `RespondToAuthChallenge{challengeName: SOFTWARE_TOKEN_MFA}`? Shouldn't an error be returned instead ?
- Since it doesn't fail, why does Cognito returns `NewDeviceMetadata` when using `email` as USERNAME, but doesn't allow to `ConfirmDevice` ?

Cognito ConfirmDevice `Invalid device key given` when logging in with USER_SRP_AUTH + MFA

Relevant content