Currently the TOTP MFA support is "faked" by simply accepting any token passed in by the user.

I've created a PR #9785 to address this by:

• implementing TOTP (using cryptography) on the Cognito IdP side and
• ensuring the tests client side, (uses pyotp) uses the full OTP flow

However, this support is only partial improvement because the secret used for TOTP is the same for all users.
I'm leaving that to a separate PR as it will require a larger change (need to modify sessions to add the MFA secret)