REST API - Enrollment - Allow Retries

I have written a web page that allows our users to manage their authentication methods.  I have this working quite well with one exception. If a user mistypes their one-time password, I can't get Advanced Authentication to allow them to try again.

Here's what I am seeing.

I make these REST API calls when walking a user through setting up a new authentication method:

  • Get an endpoint session
    https://{host}/api/v1/endpoints/{endpoint_ID}/sessions
  • Start a login session to the Authenticators Management event
    https://{host}/api/v1/logon
    https://{host}/api/v1/logon/{endpoint_session_ID}/do_logon
  • List my current templates
    https://{host}/api/v1/users/{userID}/templates?login_session_id={login_session_ID}
  • Start an enrollment session
    https //qatauth.fmins.com/api/v1/enroll
    https //qatauth.fmins.com/api/v1/enroll/{login_session_ID}/do_enroll

The final step is to complete the enrollment with the verification code, which requires one more call to

  • https //qatauth.fmins.com/api/v1/enroll/{login_session_ID}/do_enroll

with the one-time password.  If I provide an incorrect code, this is my response, which is expected.

{ "status": "FAILED", "msg": "Incorrect One-Time Password (OTP) entered. Please re-enter your OTP.", "reason": "OTP_WRONG_PASSWORD", "msgid": "AUCORE-2015" }

However, if I try to enter the correct one-time password shortly afterward (well within the 120-second window), I get:

{ "status": "FAILED", "msg": "Enrollment process could not be found PTXtx6OhmVu5epSvjBTZ3APOKGtqw74x", "reason": "PROCESS_NOT_FOUND_OR_EXPIRED", "msgid": "AUCORE-1015" }

The system will not let me try again if I mistype the one-time password.  Based on the error, it seems to destroy the enrollment session immediately after an incorrect one-time password is entered.  

However, when I use the built-in page, it lets me retry as expected.  So there has to be a setting somewhere that is preventing the REST API from allowing retry attempts at entering the one-time password.

Can someone help with this?