Share via

MFA Interface is not showing one time password expired

Atmaram Dutta 40 Reputation points
2025-11-17T04:15:39.7066667+00:00

Hi All

I am trying to sign in to an app using entra external ID authentication. We have MFA where it send code(OTP) in sms over phone. I guess the expiry for that code is 10 minutes. So after 10 minutes when adding the code in the interface (shown below) and click next it does not show any error code/validation message. Although from network I can see the error.

User's image

Network error:

{
"Success": false,
"ResultValue": null,
"Message": "AADSTS50089: Authentication failed due to flow token expired.",
"AuthMethodId": "OneWaySMS",
"ErrCode": 50089,
"Retry": false,
"FlowToken": "AQA.....",
"Ctx": "rQQI...",
"SessionId": ---PII removed---,
"CorrelationId": ---PII removed---,
"Timestamp": "2025-11-17T04:03:11Z",
"Entropy": 0,
"ReselectUIOption": 0,
"ContinuationToken": null,
"MobileAppAuthDetails": null
}

Any insight on this? Thanks Atmaram

Microsoft 365 and Office | Subscription, account, billing | For business | Other
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Rin-L 10,085 Reputation points Microsoft External Staff Moderator
    2025-11-17T12:43:50.0866667+00:00

    Hi @Atmaram Dutta

    Thank you for posting your question in the Microsoft Q&A forum. From what you’ve described and based on what I’ve researched, this is a known UX limitation in how Microsoft Entra handles expired OTP flow tokens during MFA. The backend correctly detects the issue and returns the error code AADSTS50089 (flow token expired) when the OTP exceeds the 10-minute validity window.   

    User's image

    However, the MFA interface does not surface any error message or validation feedback to the user, resulting in a silent failure even though the network trace shows the error. This limitation can be inconvenient because users have no indication that the code has expired. They simply see the process fail without explanation. It can lead to confusion, repeated attempts, and unnecessary troubleshooting. 

    If you are using the built-in Entra MFA form, you can raise this as feedback directly via Microsoft Entra so the product team can review and consider improving the user experience. For example, you might suggest adding a countdown timer for OTP validity or a clear error message when the code has expired.   

    User's image

    As a forum moderator, I don’t have the ability to make changes to the product and I also cannot submit feedback on your behalf.

    However, I truly appreciate you bringing this situation to light. Feedback like yours is extremely valuable for improving the overall experience. I’ll also do my best to raise this internally so the related team is aware of the impact.  

    I hope my explanation and insights are helpful to you. Thank you again for raising this question. 

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment". 

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread. 

    1 person found this answer helpful.

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.