ADB2C - SMS OTP verifies any random digits

Question

I'm using AzureADMFAProtocolProvider to send OTP and verify it. I'm successfully receiving an OTP as SMS. However, ADB2C accepts any random OTP as valid OTP and takes user to the next orchestration step. Before moving to the next orchestration step, it says "The code has been verified. You can now continue."

I'm wondering if I must add "ControlClaimType = Phone" for the phone number to fix this. If this is needed, I need to change the entire logic. Because I use validationtechnicalprofile to generate the phonenumber based on the username (which is 10 digit phone number without countrycode). But I'm not sure if this is causing the issue.

This is my SelfAssertedTechnical Profile that calls a phoneverification control:

      <TechnicalProfile Id="PerformOTPValidationForPwdReset">
      <DisplayName>Verify Email For SignUp</DisplayName>
      <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
      <Metadata>
        <Item Key="setting.showContinueButton">true</Item>
        <Item Key="ContentDefinitionReferenceId">api.selfasserted</Item>
      </Metadata>
      <CryptographicKeys>
        <Key Id="issuer_secret" StorageReferenceId="B2C_1A_TokenSigningKeyContainer" />
      </CryptographicKeys>
      <IncludeInSso>false</IncludeInSso>
      <DisplayClaims>
        <DisplayClaim DisplayControlReferenceId="verifyPhoneControl" />
      </DisplayClaims>
      <OutputClaims>
        <OutputClaim ClaimTypeReferenceId="objectId" Required="true" />
      </OutputClaims>
      <UseTechnicalProfileForSessionManagement ReferenceId="SM-AAD" />
    </TechnicalProfile>

This is my Display control:

  <DisplayControl Id="verifyPhoneControl" UserInterfaceControlType="VerificationControl">
    <InputClaims>
      <InputClaim ClaimTypeReferenceId="countryCode" />
      <InputClaim ClaimTypeReferenceId="nationalNumber" />
    </InputClaims>
    <DisplayClaims>
      <DisplayClaim ClaimTypeReferenceId="countryCode" />
      <DisplayClaim ClaimTypeReferenceId="nationalNumber" Required="true" />
      <DisplayClaim ClaimTypeReferenceId="verificationCode" ControlClaimType="VerificationCode" Required="true" />
    </DisplayClaims>
    <Actions>
      <Action Id="SendCode">
        <ValidationClaimsExchange>
          <ValidationClaimsExchangeTechnicalProfile TechnicalProfileReferenceId="AAD-UserDiscoveryUsingLogonPhoneNumber-FullProfile" />
          <ValidationClaimsExchangeTechnicalProfile TechnicalProfileReferenceId="CombineCountryCodeAndNationalNumber" />
          <ValidationClaimsExchangeTechnicalProfile TechnicalProfileReferenceId="AzureMfa-SendSms">
            <Preconditions>
              <Precondition Type="ClaimsExist" ExecuteActionsIf="false">
                <Value>objectId</Value>
                <Action>SkipThisValidationTechnicalProfile</Action>
              </Precondition>
            </Preconditions>
          </ValidationClaimsExchangeTechnicalProfile>
        </ValidationClaimsExchange>
      </Action>
      <Action Id="VerifyCode">
        <ValidationClaimsExchange>
          <ValidationClaimsExchangeTechnicalProfile TechnicalProfileReferenceId="AzureMfa-VerifySms">
            <Preconditions>
              <Precondition Type="ClaimsExist" ExecuteActionsIf="false">
                <Value>objectId</Value>
                <Action>SkipThisValidationTechnicalProfile</Action>
              </Precondition>
            </Preconditions>
          </ValidationClaimsExchangeTechnicalProfile>
        </ValidationClaimsExchange>
      </Action>
    </Actions>
  </DisplayControl>

This is my AzureMFA-SendSMS Technical Profile:

<TechnicalProfile Id="AzureMfa-SendSms">
  <DisplayName>Send Sms</DisplayName>
  <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.AzureMfaProtocolProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
  <Metadata>
    <Item Key="Operation">OneWaySMS</Item>
  </Metadata>
  <InputClaims>
    <InputClaim ClaimTypeReferenceId="userPrincipalName" />
    <InputClaim ClaimTypeReferenceId="signInNames.phoneNumber" PartnerClaimType="phoneNumber" />
  </InputClaims>
</TechnicalProfile>

This is my AzureMFA-VerifySms Technical Profile:

<TechnicalProfile Id="AzureMfa-VerifySms">
  <DisplayName>Verify Sms</DisplayName>
  <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.AzureMfaProtocolProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
  <Metadata>
    <Item Key="Operation">Verify</Item>
  </Metadata>
  <InputClaims>
    <InputClaim ClaimTypeReferenceId="verificationCode" />
    <InputClaim ClaimTypeReferenceId="signInNames.phoneNumber" PartnerClaimType="phoneNumber" />
  </InputClaims>
</TechnicalProfile>

AAD-UserDiscoveryUsingLogonPhoneNumber-FullProfile - This TP reads full details including the userPrincipalName. However, I'm not sure if it is being included in the claims bag and wondering if this is causing the issue. Please help

These are the technical profiles:

<TechnicalProfile Id="AAD-UserDiscoveryUsingLogonPhoneNumber-FullProfile">
  <OutputClaims>
    <OutputClaim ClaimTypeReferenceId="displayName" />
    <OutputClaim ClaimTypeReferenceId="givenName" />
    <OutputClaim ClaimTypeReferenceId="surname" />
    <OutputClaim ClaimTypeReferenceId="userPrincipalName" />            
    <OutputClaim ClaimTypeReferenceId="hasFullProfile" DefaultValue="true" AlwaysUseDefaultValue="true" />
  </OutputClaims>
  <IncludeTechnicalProfile ReferenceId="AAD-UserDiscoveryUsingLogonPhoneNumber-Common" />
</TechnicalProfile>

    <TechnicalProfile Id="AAD-UserDiscoveryUsingLogonPhoneNumber-Common">
      <Metadata>
        <Item Key="Operation">Read</Item>
        <Item Key="RaiseErrorIfClaimsPrincipalAlreadyExists">false</Item>
        <Item Key="RaiseErrorIfClaimsPrincipalDoesNotExist">true</Item>
        <Item Key="UserMessageIfClaimsPrincipalDoesNotExist">That phone number doesn't exist in our system. Please contact our administrator</Item>
        <Item Key="setting.showSignupLink">false</Item>
      </Metadata>
      <IncludeInSso>false</IncludeInSso>
      <InputClaimsTransformations>
        <InputClaimsTransformation ReferenceId="NationalNumberToSignInName" />
      </InputClaimsTransformations>
      <InputClaims>
        <InputClaim ClaimTypeReferenceId="signInName" PartnerClaimType="signInNames" />
      </InputClaims>
      <OutputClaims>
        <OutputClaim ClaimTypeReferenceId="objectId" />
        <OutputClaim ClaimTypeReferenceId="userPrincipalName" />
      </OutputClaims>
      <IncludeTechnicalProfile ReferenceId="AAD-Common" />
    </TechnicalProfile>

Any support is appreciated.