One of my favorite modern cybersecurity design things is when something on the server side authentication fails instead of your actual credentials / MFA, but the failure error message is identical so you spend an hour doing resets and second guessing yourself only to have everything work perfectly a little later on.