First of all, MFA is a little bit too much for such an portal.
You sent me a passcode, confirm I logged in. But while I logged in you mentioned that the code is expired. Fyi; the one received a second before. Btw; why do I have to enter my password again!!
Why do you have such an old-facioned MFA solution. Integrate with a solution like DUO security, Microsoft authenticator where push confirmation makes it more state to the art or even you go the basic mechanism of Google Authenticator. But emailing a code which you deny as well. Come on, you are one of the biggest companies in te world. You can do better