Everything should be running smoothly with the mfa user flow in the sandbox now! If you use "1again" (for example) instead of the correct response "again", you will receive an appropriate error code response:
{"code":1203,"message":"invalid mfa","resolve":"The MFA response provided was not correct."}