diff --git a/src/pages/Auth.tsx b/src/pages/Auth.tsx
index 289a4e95..e8f5f4b0 100644
--- a/src/pages/Auth.tsx
+++ b/src/pages/Auth.tsx
@@ -149,33 +149,48 @@ export default function Auth() {
       const postAuthResult = await handlePostAuthFlow(data.session, 'password');
 
       if (postAuthResult.success && postAuthResult.data.shouldRedirect) {
-        // Get the TOTP factor ID
+        // MFA IS REQUIRED - we must show the challenge or sign out
         const { data: factors } = await supabase.auth.mfa.listFactors();
         const totpFactor = factors?.totp?.find(f => f.status === 'verified');
         
         if (totpFactor) {
+          // Show MFA challenge
           setMfaFactorId(totpFactor.id);
           setLoading(false);
           return; // Stay on page, show MFA modal
+        } else {
+          // MFA is required but no factor found - FORCE SIGN OUT for security
+          console.error('[Auth] SECURITY: MFA required but no verified factor found');
+          await supabase.auth.signOut();
+          toast({
+            variant: "destructive",
+            title: "Authentication Error",
+            description: "Multi-factor authentication is required but not properly configured. Please contact support."
+          });
+          setLoading(false);
+          return;
         }
       }
       
-      // Verify session was stored
-      setTimeout(async () => {
-        const { data: { session } } = await supabase.auth.getSession();
-        if (!session) {
-          toast({
-            variant: "destructive",
-            title: "Session Error",
-            description: "Login succeeded but session was not stored. Please check your browser settings and enable cookies/storage."
-          });
-        } else {
-          toast({
-            title: "Welcome back!",
-            description: "You've been signed in successfully."
-          });
-        }
-      }, 500);
+      // ONLY show success toast if MFA was NOT required
+      if (postAuthResult.success && !postAuthResult.data.shouldRedirect) {
+        // Verify session was stored
+        setTimeout(async () => {
+          const { data: { session } } = await supabase.auth.getSession();
+          if (!session) {
+            toast({
+              variant: "destructive",
+              title: "Session Error",
+              description: "Login succeeded but session was not stored. Please check your browser settings and enable cookies/storage."
+            });
+          } else {
+            toast({
+              title: "Welcome back!",
+              description: "You've been signed in successfully."
+            });
+          }
+        }, 500);
+      }
       
     } catch (error) {
       // Reset CAPTCHA widget to force fresh token generation