That is a fair point. I'd say this is less of a problem than having plain text passwords in a database since this challenge code expires after a while.

The reason I'm not using the built-in auth challenge storage is that challenges expire in 3 minutes (hard AWS limit), which in my experience is often just a tad too short for some users to sign in to their email and click the link. 15-30 minutes is the sweet spot between security and usability in my experience, but not possible with the built-in auth challenges.