I am trying to implement email based MFA using AWS congito and Lambda triggers and using lambda functions trigger and verify mfa_code. I am able to pass PASSWORD_VERIFIER challenge and also able to generate my custom MFA code, However when I try to exchange the MFA code using admin_respond_to_auth challenge function of boto3. I get incorrect email or password error. Here is my code,

define auth challenge lambda

def lambda_handler(event, context):
    if (len(event['request']['session']) == 1 and event['request']['session'][0]['challengeName'] == "SRP_A"):
        event['response']['issueTokens'] = False
        event['response']['failAuthentication'] = False
        event['response']['challengeName'] = "PASSWORD_VERIFIER"
    elif (len(event['request']['session']) == 2 and event['request']['session'][1]['challengeName'] == "PASSWORD_VERIFIER" and event['request']['session'][1]['challengeResult'] is True):
        event['response']['issueTokens'] = False
        event['response']['failAuthentication'] = False
        event['response']['challengeName'] = "CUSTOM_CHALLENGE"
    else:
        event['response']['issueTokens'] = False
        event['response']['failAuthentication'] = True

    return event

create auth challenge lambda

# Create_Auth_challenge
import boto3
import random
import string
from datetime import datetime, timedelta

ses = boto3.client('ses')

def lambda_handler(event, context):
    if event['request']['challengeName'] == 'CUSTOM_CHALLENGE':
        email = event['request']['userAttributes']['email']
        code = ''.join(random.choices(string.digits, k = 6))

        ses.send_email(
            Source = 'sender_email',
            Destination = {'ToAddresses':[email]},
            Message = {
                'Subject': {'Data': 'Your verification code'},
                'Body': {'Text': {'Data': f'Your verification code is {code}'}}
            }
        )

        event['response']['privateChallengeParameters'] = {}
        event['response']['privateChallengeParameters']['answer']=code
    return event

verify auth challenge

#verify auth challenge

def lambda_handler(event, context):
    if event['request']['privateChallengeParameters']['answer'] == event['request']['challengeAnswer']:
        event['response']['answerCorrect'] = True
    else:
        event['response']['answerCorrect'] = False

    return event

and this is how I am responding to challenge:

def release_auth_tokens(self, username, password, session):
    try:
        response = self.client.admin_respond_to_auth_challenge(
            UserPoolId = self.user_pool_id,
            ClientId = self.client_id,
            ChallengeName = "CUSTOM_CHALLENGE",
            Session = session,
            ChallengeResponses = {
                "USERNAME":username,
                "ANSWER":password
            },
        )

        print(f"respoinse in release auth tokens is {response}")
        return response

    except Exception as e:
        print(f"exception in release auth tokens is {e}")
        raise e

I have tried referring to documentation but there is no mention of how I can verify a custom challenge response. I cannot access the AWS instance directly so there is no way for me to check out logs if there are any. My code is based up on another post from stackoverflow user who was issue with PASSWORD_VERIFIER challenge, but how to proceed with custom challenge is not document anywhere in AWS or boto3 documentation.