The docs say that when unlockAccount has been successful it should return the sessionToken: @okta/okta-auth-js - npm
But this is not the case.
Hello,
A successful /verify of a recovery factor should return a stateToken.
I will let the dev team know.