The scenario:

• Both my Amazon consumer account (the one I use when I log in to amazon.com to buy stuff) and my AWS root account use the same email address.
• 2FA can be enabled on both the Amazon consumer account and the AWS root account independently.

When 2FA is enabled on both amazon.com and AWS, this is the behavior:

• Logging into amazon.com requires the TOTP configured for the MFA device connected to the Amazon consumer account. This is expected.
• Logging into the AWS console with the root account requires both the TOTP from the MFA device connected to the Amazon consumer account, and the TOTP from the MFA device connected to the AWS root account. Each TOTP is asked for one after the other, with different web pages. Only when both are entered can you proceed to the console. This is unexpected.

When 2FA is enabled on only the AWS root account, this is the behavior:

• Logging into the AWS console with the root account requires only the TOTP from the MFA device connected to the AWS root account. This is expected.
• Logging into the Amazon consumer account requires the TOTP from the MFA device connected to the AWS root account. This is unexpected.

How do I set up 2FA on both accounts and have them be independent of the other account? This behavior is bizarre.