For anyone curious, this is how the bug manifests. The UI elements related to the OTP code should not be shown, because the custom Pre-Registration action blocked it with api.access.deny(‘denyReason’).
@Auth0: this is a super embarrassing silly bug, when can we expect a fix please?
