bperniciaro
commented
2 months ago After some more digging, I'm thinking this is deliberate where the first prompt is to complete the registration process, whereas the second is to complete the authentication process. This could be more clear if the prompts in these cases weren't identical.
I'm using the TOTP policy as-is, out of the box, and after scanning the Authenticator app for the first time, the subsequent OTP PW verification ALWAYS fails. Doesn't matter if I enter the first OTP I see, or wait a minute, the first one always fails.
After the first failure, everything seems to work as expected. The next password works, and every OTP entry associated with logins works fine as well.