MFA

TOTP MFA setup + login challenge response.

📄️Begin TOTP MFA enrollment

Calls Cognito `AssociateSoftwareToken` and returns a TOTP secret + ready-to-render `otpauth://` URL the SPA can encode as a QR code.

📄️Verify the first TOTP code and finish enrollment

On success, Cognito tokens are issued, session cookies are set, and the SPA redirect URL is returned.

📄️Respond to an SMS or TOTP MFA challenge

Sends the MFA code back to Cognito via `RespondToAuthChallenge`. On success, session cookies are set and the SPA redirect URL is returned.