When running AuthHub, once the client has a x-flow-state value, this one can be reused in the URL to access an endpoint resource bypassing the SMS/OTP multifactor authentication.
The SMS/OTP challenge can be bypassed by directly accessing the constructed following URL after login:
https://_app._host._domain._com/default/oauth2/v1/myapp?x-flow-state=eXlh [...]
This issue was resolved in Jun.02 release.
Upgrade to latest version June.04 or more recent to address this issue.