If the first (and only?) login attempt fails, the user is left in no man's land. (Or it's not clear to me how another attempt should be made.) This can be avoided by either:
make a preset number of attempts, and exist after the last failure, or
implement a command to authenticate (if switch_user is desirable, it should be loaded by default) and prompt the user to execute the appropriate command.
If the first (and only?) login attempt fails, the user is left in no man's land. (Or it's not clear to me how another attempt should be made.) This can be avoided by either: