At MIT, users with username/root principals often have SAM2 preauth required for those principals. The SAM2 Duo preauth plugin currently deployed doesn't provide good feedback when the password is incorrect.
show what happens with an incorrect password.
I get the following for a correct password.
We should either document the existing behavior in the KB, or improve the error reporting behavior. Arguably giving more direct feedback about which factor failed makes it easier to guess passwords, but that is a usability tradeoff which we should consciously make and document.