Hi @eric.hu
My apologies I was thinking in terms of Passwordless SMS and not MFA with SMS which does follow different behavior. In the context of MFA it isn’t the code/OTP that expires, but rather it is the transaction which can expire. However to your point about customizing this transaction expiry, unfortunately this is not customizable at this time as it’s a global configuration. The default expiry for MFA transactions is 5 minutes, which can be found in our docs on troubleshooting MFA
Apologies again for the confusion on my end, let me know if that answers your question 
Best,
Colin