diff --git a/src/components/auth/AuthModal.tsx b/src/components/auth/AuthModal.tsx
index 019e087d..b60171db 100644
--- a/src/components/auth/AuthModal.tsx
+++ b/src/components/auth/AuthModal.tsx
@@ -131,14 +131,13 @@ export function AuthModal({ open, onOpenChange, defaultTab = 'signin' }: AuthMod
         const totpFactor = factors?.totp?.find(f => f.status === 'verified');
         
         if (totpFactor) {
-          // IMMEDIATELY DESTROY THE AAL1 SESSION (same as Auth.tsx password flow)
-          console.log('[AuthModal] MFA required - destroying AAL1 session before challenge');
-          await supabase.auth.signOut();
+          // Keep AAL1 session active for MFA verification
+          // RLS policies will block sensitive operations until AAL2
+          console.log('[AuthModal] MFA required - keeping AAL1 session for verification');
           
-          // At this point, user has NO authenticated session
           setMfaFactorId(totpFactor.id);
           setLoading(false);
-          return; // User has NO session - MFA modal will show
+          return; // MFA modal will show, session-based MFA flow will work
         }
       }
       
diff --git a/src/pages/Auth.tsx b/src/pages/Auth.tsx
index 597fd703..81321131 100644
--- a/src/pages/Auth.tsx
+++ b/src/pages/Auth.tsx
@@ -155,17 +155,14 @@ export default function Auth() {
         const totpFactor = factors?.totp?.find(f => f.status === 'verified');
         
         if (totpFactor) {
-          // CRITICAL SECURITY FIX: IMMEDIATELY DESTROY THE AAL1 SESSION
-          // The user MUST NOT have any active session before completing MFA
-          console.log('[Auth] MFA required - destroying AAL1 session before challenge');
-          await supabase.auth.signOut();
+          // Keep AAL1 session active for MFA verification
+          // RLS policies will block sensitive operations until AAL2
+          console.log('[Auth] MFA required - keeping AAL1 session for verification');
           
-          // Store email and factor ID in component state ONLY
-          // At this point, user has NO authenticated session
           setMfaPendingEmail(formData.email);
           setMfaFactorId(totpFactor.id);
           setLoading(false);
-          return; // User has NO session - MFA modal will show
+          return; // MFA modal will show, session-based MFA flow will work
         } else {
           // MFA is required but no factor found - FORCE SIGN OUT for security
           console.error('[Auth] SECURITY: MFA required but no verified factor found');
diff --git a/src/pages/AuthCallback.tsx b/src/pages/AuthCallback.tsx
index ec8b3dce..40e989e6 100644
--- a/src/pages/AuthCallback.tsx
+++ b/src/pages/AuthCallback.tsx
@@ -119,14 +119,13 @@ export default function AuthCallback() {
           const totpFactor = factors?.totp?.find(f => f.status === 'verified');
           
           if (totpFactor) {
-            // IMMEDIATELY DESTROY THE AAL1 SESSION (same as password flow)
-            console.log('[AuthCallback] MFA required - destroying AAL1 session before challenge');
-            await supabase.auth.signOut();
+            // Keep AAL1 session active for MFA verification
+            // RLS policies will block sensitive operations until AAL2
+            console.log('[AuthCallback] MFA required - keeping AAL1 session for verification');
             
-            // At this point, user has NO authenticated session
             setMfaFactorId(totpFactor.id);
             setStatus('mfa_required');
-            return; // User has NO session - MFA modal will show
+            return; // MFA modal will show, session-based MFA flow will work
           }
         }