MFA API - binding_code Identical for /mfa/challenge

Problem statement

We call the MFA API to send a 6-digit code using the ‘/mfa/challenge’ endpoint and get the mfa_token using ROPG flow.

The issue is if calling this endpoint multiple times with the same payload, we always receive the same binding_code. Shouldn’t this be different each time?

Solution

It is actually expected to observe the binding_code to be the same if you call it with the same MFA token and oob_code in the /oauth/token endpoint.

Once the binding_code is generated, it can be used only once. Also, please note the binding_code expiry is of 5 minutes. So, if you try to generate a new binding_code within the 5-minute interval, you will get the same code every time.