only look for valid second factor in session if we have a session