162ee60efb
Even though the resource doesn't exist, chrome (and probably other browsers) will request the favicon after requesting the "second-factor" page. Requests for the favicon prevented proceeding past the second-factor page and never hitting the POST to "second-factor". Instead, the sample prompts for the username, again. Exposing favicon (even though it doesn't exist) resolves the issue.