1. Authentication Flow Comparison:
1.1. Scenario 1: Login with MFA enabled User → Password → MFA Challenge → TOTP Code → Access Token
- Token proves: Password + MFA (2-factor authentication)
- Security level: HIGH
1.2. Scenario 2: Associate Software Token (MFA not enabled yet) User → Password → Access Token (no MFA challenge)
- Token proves: Password only (1-factor authentication)
- Security level: MEDIUM
=> Answer: Technically same permissions, different authentication strength
From AWS Cognito’s perspective:
- Both tokens grant the same API permissions (user operations)
- Both are valid access tokens for the authenticated user
- Both can call associateSoftwareToken, setSoftwareTokenMfaPreference, etc.
BUT - The authentication strength differs:
- ✅ With MFA: User proved identity with 2 factors
- ⚠️ Without MFA: User proved identity with 1 factor only
2. Storing AWS Access Token in Session
✅ Benefits
- Better UX: Don’t re-authenticate for every operation
- Follows OAuth2 pattern: Store token, reuse for API calls
- Enables your use cases: Can disable MFA, associate token, etc.
- Already secured: With httpOnly + sameSite, much safer
⚠️ Critical Considerations
Issue 1: Token Expiration Mismatch
# AWS Cognito tokens
AWS access token lifetime = 3600000 # 1 hour (default)
=> you should setup your app own session maxAge same value
Issue 2: Different Session Types Need Different Lifetimes
- MFA challenge session: Short (15 min) ✅ Correct
- Authenticated session with access token: Longer (1 hour) ❌ Currently too short