In Microsoft Entra External ID, we’ve noticed that unused verification codes generated for sign-up and two-factor authentication can still be used in two scenarios, even after a new code has been requested:
- During the same registration/login attempt.
- When the current registration/login process is canceled, and a new one is initiated.
While used codes are correctly blocked from reuse, unused codes remain valid and can be reused across new registration or login attempts.
Could you please clarify:
- Whether it’s possible to restrict the usage of old, unused codes in new registration or login attempts.
- If there’s a way to invalidate all previous codes whenever a new code is generated.