diff --git a/src/components/auth/AuthModal.tsx b/src/components/auth/AuthModal.tsx
index b86af810..019e087d 100644
--- a/src/components/auth/AuthModal.tsx
+++ b/src/components/auth/AuthModal.tsx
@@ -126,14 +126,19 @@ export function AuthModal({ open, onOpenChange, defaultTab = 'signin' }: AuthMod
       const postAuthResult = await handlePostAuthFlow(data.session, 'password');
 
       if (postAuthResult.success && postAuthResult.data.shouldRedirect) {
-        // Get the TOTP factor ID
+        // CRITICAL SECURITY FIX: Get factor BEFORE destroying session
         const { data: factors } = await supabase.auth.mfa.listFactors();
         const totpFactor = factors?.totp?.find(f => f.status === 'verified');
         
         if (totpFactor) {
+          // IMMEDIATELY DESTROY THE AAL1 SESSION (same as Auth.tsx password flow)
+          console.log('[AuthModal] MFA required - destroying AAL1 session before challenge');
+          await supabase.auth.signOut();
+          
+          // At this point, user has NO authenticated session
           setMfaFactorId(totpFactor.id);
           setLoading(false);
-          return; // Stay in modal, show MFA challenge
+          return; // User has NO session - MFA modal will show
         }
       }