Faulty input validation is one thing, and the most obvious that people pick up on, but I can't help feeling that this occurred entirely because of a fundamental wtf in the API design:
It introduces path traversal making attacker’s job much easier - you only need to type '../sms' to turn /verify API call into /sms (/verify/../sms/authy_id) which will always return 200 status and will bypass 2FA,
So they appear to be using an HTTP-based API. In the HTTP protocol there are explicit places for communicating user-supplied variables - in the query string or POST body. So why, for the love of Tim, are they putting the (user-supplied) verification code in the request path?
That's just.... no.