Re: Too good to be true?
That's how just cookie based auth works. You authenticate (with 2FA) and then a signed token is stored in a session cookie; the token will be valid for x amount of time. The next time you navigate to a different url on the same site (or make an XHR request) the cookie is sent in the request by the browser so you don't have to auth again. (Otherwise you'd have to login every time you went to a different page, or did anything that triggered a request).
There are alternatives to cookie based token, e.g. appending the token as a &token=xxx parameter on each url, but it's generally considered worse because users can inadvertently share that url with the whole internet and expose their account that way.
Biting the hand that feeds IT
