Application authorization with enabled two-factor auth doesn't redirect to redirect_uri

1) I have user with enabled two-factor auth

2) I try to authorize my app with 

https://account.box.com/api/oauth2/authorize?client_id=my_client_id&response_type=code&redirect_uri=https%3a%2f%2fapi.server%2fCallback&state=my_state

3) for users without two-factor auth it redirects back, in that case it goes to /folder/0 All Files