I encountered the issue while configuring MFA during first login, where I offered users the choice of authentication methods: Email, SMS, or Authenticator App. The issue occurred only when the Authenticator App was selected.

After investigation, we found that configuring the Authenticator App resets the SecurityStamp for the user in the AspNetUsers table. So, any tokens generated before this reset are rendered invalid.

To resolve the issue, we adjusted our flow as follows:

Check if the Authenticator App is configured: Before proceeding with actions like password reset, confirm whether the user has completed MFA setup with the Authenticator App.

Generate a new token: After the Authenticator App is set up, create a fresh token and validate the user with this token.