diff --git a/aws-vault.go b/aws-vault.go
index a5b57bab3..3ef7e8531 100644
--- a/aws-vault.go
+++ b/aws-vault.go
@@ -1,6 +1,7 @@
 package main
 
 import (
+	"io/ioutil"
 	"log"
 	"os"
 
@@ -13,6 +14,10 @@ var (
 )
 
 func main() {
+	if os.Getenv("DEBUG") != "1" {
+		log.SetOutput(ioutil.Discard)
+	}
+
 	ui := &cli.BasicUi{
 		Writer:      os.Stdout,
 		Reader:      os.Stdin,
diff --git a/command/list.go b/command/list.go
index 1a1dd6f15..6ae4899a9 100644
--- a/command/list.go
+++ b/command/list.go
@@ -28,9 +28,16 @@ func (c *ListCommand) Run(args []string) int {
 		c.Ui.Error(err.Error())
 		return 4
 	}
+
 	for _, p := range profileNames {
 		c.Ui.Output(p)
 	}
+
+	if len(profileNames) == 0 {
+		c.Ui.Error("No profiles found")
+		return 1
+	}
+
 	return 0
 }
 
diff --git a/command/store.go b/command/store.go
index 6facf45ff..458a907f6 100644
--- a/command/store.go
+++ b/command/store.go
@@ -49,13 +49,13 @@ func (c *StoreCommand) Run(args []string) int {
 		return 1
 	}
 
-	accessKeyId, err := c.Ui.Ask("Enter Access Key ID: ")
+	accessKeyId, err := c.Ui.Ask("Enter Access Key ID:")
 	if err != nil {
 		c.Ui.Error(err.Error())
 		return 2
 	}
 
-	secretKey, err := c.Ui.AskSecret("Enter Secret Access Key: ")
+	secretKey, err := c.Ui.AskSecret("Enter Secret Access Key:")
 	if err != nil {
 		c.Ui.Error(err.Error())
 		return 2
diff --git a/vault/session.go b/vault/session.go
index 791ff16ab..1fedf5b77 100644
--- a/vault/session.go
+++ b/vault/session.go
@@ -1,6 +1,7 @@
 package vault
 
 import (
+	"log"
 	"time"
 
 	"github.com/99designs/aws-vault/Godeps/_workspace/src/github.com/aws/aws-sdk-go/aws"
@@ -55,8 +56,15 @@ func (sp *SessionProvider) Session(conf SessionConfig) (SessionCredentials, erro
 			TokenCode:       aws.String(token),
 		}
 
+		if token != "" {
+			log.Printf("assuming role %s with mfa %s", conf.Profile.RoleARN, serialNumber)
+		} else {
+			log.Printf("assuming role %s", conf.Profile.RoleARN)
+		}
+
 		resp, err := svc.AssumeRole(input)
 		if err != nil {
+			log.Printf("%#v", err)
 			return SessionCredentials{}, err
 		}
 		return SessionCredentials{resp.Credentials}, nil
@@ -69,6 +77,12 @@ func (sp *SessionProvider) Session(conf SessionConfig) (SessionCredentials, erro
 		TokenCode:       aws.String(token),
 	}
 
+	if token != "" {
+		log.Printf("getting session token with mfa %s", serialNumber)
+	} else {
+		log.Printf("getting session token")
+	}
+
 	resp, err := svc.GetSessionToken(input)
 	if err != nil {
 		return SessionCredentials{}, err
@@ -92,6 +106,8 @@ func (ksp *KeyringSessionProvider) Session(conf SessionConfig) (SessionCredentia
 	}
 
 	if sessionCreds == nil || time.Now().After(*sessionCreds.Expiration) {
+		log.Println("fetching new session")
+
 		if ksp.CredsFunc != nil {
 			creds, err := ksp.CredsFunc()
 			if err != nil {
@@ -111,6 +127,8 @@ func (ksp *KeyringSessionProvider) Session(conf SessionConfig) (SessionCredentia
 		}
 
 		sessionCreds = &newCreds
+	} else {
+		log.Printf("using cached session (expires in %s)", sessionCreds.Expiration.Sub(time.Now()))
 	}
 
 	return *sessionCreds, nil