Hi,
We’re having a problem in the scenario where an existing user with MFA set up using oob with sms wants to change the number that they have associated with their account. The documentation suggests it should be possible, but we’re having some issues.
The endpoint to add a new authenticator is “mfa/associate” and the documentation for this endpoint mentions “If the user has active authenticators, an Access Token with the enroll scope and the audience set to https://your_domain/mfa/ is required to use this endpoint. After an authenticator is added, it must be verified. To verify the authenticator, use the response values from the /mfa/associate request in place of the values returned from the /mfa/challenge endpoint and continue with the verification flow.”
This endpoint behaves as expected and returns the correct response and sends a text message to the phoneNumber provided in the request parameter.
The problem is when it comes to the next step of actually verifying the phone number the verification endpoint “/oauth/token” requires an mfa_token, which we do not have (as we already have an active authenticator).
Given the add authenticator endpoint specifically mentions that you can use an access_token in place of an mfa_token, I would expect this to work correctly when verifying the out of band code, even without an mfa_token (which only seems to come from a MFA_REQUIRED response).
The documentation for the two end points are as follows: 
- Add Authenticator: Authentication API Explorer
- Verify with out-of-band (OOB): Authentication API Explorer