Take note something when implementing MFA using AWS Cognito Service
1. Authentication Flow Comparison: 1.1. Scenario 1: Login with MFA enabled User → Password → MFA Challenge → TOTP Code → Access Token Token proves: Password + MFA (2-factor authentication) Security level: HIGH 1.2. Scenario 2: Associate Software Token (MFA not enabled yet) User → Password → Access Token (no MFA challenge) Token proves: Password only (1-factor authentication) Security level: MEDIUM => Answer: Technically same permissions, different authentication strength From AWS Cognito’s perspective: Both tokens grant the same API permissions (user operations) Both are valid access tokens for the authenticated user Both can call associateSoftwareToken, setSoftwareTokenMfaPreference, etc. BUT - The authentication strength differs: ✅ With MFA: User proved identity with 2 factors ⚠️ Without MFA: User proved identity with 1 factor only 2. Storing AWS Access Token in Session ✅ Benefits Better UX: Don’t re-authenticate for every operation Follows OAuth2 pattern: Store token, reuse for API calls Enables your use cases: Can disable MFA, associate token, etc. Already secured: With httpOnly + sameSite, much safer ⚠️ Critical Considerations Issue 1: Token Expiration Mismatch # AWS Cognito tokens AWS access token lifetime = 3600000 # 1 hour (default) => you should setup your app own session maxAge same value ...