Failure to Authenticate with AzureAD when Device Verification is Enabled

[icirellik]

Periodically our organization administrator requires us to verify our devices, which blocks the SAML authentication process and requires manual verification. This is the screen you would see after a successful authentication in the browser when verification is required.

A more insightful error would be helpful as automatic verification would defeat the security protections. As you can see from the output below the current error is confusing as it indicates the OTP was entered twice instead of directing the user to log in in the browser which is the correct action in this instance.

saml2aws login --force
Using IdP Account default to access AzureAD https://account.activedirectory.windowsazure.com
To use saved password just hit enter.
? Username [email protected]
? Password

Authenticating as [email protected]  ...
? Enter verification code 123456
? Enter verification code 123456
Error authenticating to IdP.: error processing MFA, errcode: 500121, message: PhoneAppOtpAuthFailedDuplicateCodeEntered

The verbose output indicates a successful authentication followed by a duplicate code:

// First OTP
{"Success":true,"ResultValue":"Success"}
// Second OTP
{"Success":false,"ResultValue":"PhoneAppOtpAuthFailedDuplicateCodeEntered"}