diff --git a/src/pages/AuthCallback.tsx b/src/pages/AuthCallback.tsx
index 9e82d090..ec8b3dce 100644
--- a/src/pages/AuthCallback.tsx
+++ b/src/pages/AuthCallback.tsx
@@ -114,14 +114,19 @@ export default function AuthCallback() {
         const result = await handlePostAuthFlow(session, authMethod);
         
         if (result.success && result.data?.shouldRedirect) {
-          // Get factor ID and show modal instead of redirecting
+          // CRITICAL SECURITY FIX: Get factor BEFORE destroying session
           const { data: factors } = await supabase.auth.mfa.listFactors();
           const totpFactor = factors?.totp?.find(f => f.status === 'verified');
           
           if (totpFactor) {
+            // IMMEDIATELY DESTROY THE AAL1 SESSION (same as password flow)
+            console.log('[AuthCallback] MFA required - destroying AAL1 session before challenge');
+            await supabase.auth.signOut();
+            
+            // At this point, user has NO authenticated session
             setMfaFactorId(totpFactor.id);
             setStatus('mfa_required');
-            return;
+            return; // User has NO session - MFA modal will show
           }
         }