Issue
Use case we are discussing here is, a MFA enabled user is not redirecting to "validate_multifactor_auth_code.do" page after successful enrolment of a MFA device. Instead the page is taking to welcome.do
To diagnose the issue, use the developer tool of the browser and follow the transaction. Here in this case, we could see after the user enters the credentials, page "login.do" "validate_multifactor_auth_code.do" is getting a response of 302 followed by welcome.do with a status of 200
Login.do
validate_multifactor_auth_code.do
Welcome.do
Hence this clear that page is finally landing to welcome.do
Cause
This can be any customisations at the instance level like UI pages, global UI script. If there is no Portal/CMS pages involved you can check with Installation exits
Resolution
Check for installation exits like Login and see if there is any redirections happening.
Examples:
loginFailed : function() {
// redirect back to welcome page if login failed
gs.setRedirect('welcome.do');
Reverting this should fix the issue and you can check the response status of "validate_multifactor_auth_code.do" as 200 afterwards.