Those tokens are rarely actually one-time-use; They're more commonly time-limited (and you still have cache invalidation problems even if they're supposed to be one-time). Further, they fail to deliver so often that it's not hard to intercept one and use it, forcing the user to retry.
That's interesting because most of the ones I've seen work like this:
- user created, 2FA token created, user not active
- user gets 2FA token via 2nd channel
- user enters token, gets to create a password for account
- user active, token invalidated
this isn't airtight - nothing is - but it means either you got the token or you can't log in to your account, which should raise a red flag.
