If a credential bound to a user is disabled, what error code will the authenticateUser (Authenticate User service) return?

Expecting 6008 and 6007 error codes for when invoking authenticateUser with a security code (Standard OTP) and a disabled, bound credential. Instead, receiving 600d and 6009.

Scenario# 1: AuthenticateUser (user bound to one DISABLED credential) on a DISABLED credential will return “600D Operation not allowed in current state of credential.” as there is no temporary password set, the service will look at DISABLED as an invalid state. You will also see a detailed Message element in the response: “operation not allowed on a DISABLED token”.

Scenario# 2: AuthenticateUser (user bound to two credentials, one ENABLED and one DISABLED) with Security Code of a DISABLED credential will return “6009 Authentication Failed” as there is mixed states here and the logic is that if there is no temporary password associated with the disabled credential then it is an invalid state and Security Code will get matched only with the ENABLED credential.

Scenario# 3: AuthenticateUser (user initially bound to one ENABLED credential then Credential is removed from the user) with Security Code of a disassociated credential will return “6008: User does not have an enabled credential for the given credential type.” We do not want to reveal any information regarding the bindings to the user by providing this error code.

Scenario#4: AuthenticateUser (bound to only one ENABLED credential) with Security Code of an unbound credential will return “6009 Authentication Failed” as Security Code will get matched with the (bound) ENABLED credential only.