diff --git a/.github/workflows/go.yml b/.github/workflows/go.yml
index a37dd5b87..ae17d3730 100644
--- a/.github/workflows/go.yml
+++ b/.github/workflows/go.yml
@@ -98,7 +98,7 @@ jobs:
         run: sudo apt-get update && sudo apt-get install -y libudev-dev
 
       - name: GoReleaser
-        uses: goreleaser/goreleaser-action@v4
+        uses: goreleaser/goreleaser-action@v5
         with:
           version: latest
           args: build --snapshot --clean --config .goreleaser.${{ matrix.os }}.yml
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 063c1f8bb..5577d09bb 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -43,14 +43,14 @@ jobs:
       run: |
         echo REPOSITORY_NAME_LOWERCASE=$(echo ${{ github.repository }} | tr '[:upper:]' '[:lower:]') >> $GITHUB_ENV
 
-    - uses: "docker/login-action@v2"
+    - uses: "docker/login-action@v3"
       if: matrix.os == 'ubuntu-20.04'
       with:
         registry: "ghcr.io"
         username: "${{ github.actor }}"
         password: "${{ secrets.GITHUB_TOKEN }}"
     - name: GoReleaser
-      uses: goreleaser/goreleaser-action@v4
+      uses: goreleaser/goreleaser-action@v5
       with:
         version: latest
         args: release --clean --config .goreleaser.${{ matrix.os }}.yml
diff --git a/go.mod b/go.mod
index 34c9f273f..6e4591543 100644
--- a/go.mod
+++ b/go.mod
@@ -9,7 +9,7 @@ require (
 	github.com/PuerkitoBio/goquery v1.8.1
 	github.com/alecthomas/kingpin v2.2.6+incompatible
 	github.com/avast/retry-go v3.0.0+incompatible
-	github.com/aws/aws-sdk-go v1.45.2
+	github.com/aws/aws-sdk-go v1.46.2
 	github.com/beevik/etree v1.2.0
 	github.com/danieljoos/wincred v1.2.0
 	github.com/google/uuid v1.3.1
@@ -22,8 +22,8 @@ require (
 	github.com/sirupsen/logrus v1.9.3
 	github.com/skratchdot/open-golang v0.0.0-20200116055534-eef842397966
 	github.com/stretchr/testify v1.8.4
-	github.com/tidwall/gjson v1.16.0
-	golang.org/x/net v0.14.0
+	github.com/tidwall/gjson v1.17.0
+	golang.org/x/net v0.17.0
 	gopkg.in/ini.v1 v1.67.0
 )
 
@@ -52,9 +52,9 @@ require (
 	github.com/tidwall/match v1.1.1 // indirect
 	github.com/tidwall/pretty v1.2.1 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
-	golang.org/x/crypto v0.12.0 // indirect
-	golang.org/x/sys v0.11.0 // indirect
-	golang.org/x/term v0.11.0 // indirect
-	golang.org/x/text v0.12.0 // indirect
+	golang.org/x/crypto v0.14.0 // indirect
+	golang.org/x/sys v0.13.0 // indirect
+	golang.org/x/term v0.13.0 // indirect
+	golang.org/x/text v0.13.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )
diff --git a/go.sum b/go.sum
index b30a483b8..f03ff336e 100644
--- a/go.sum
+++ b/go.sum
@@ -24,8 +24,8 @@ github.com/andybalholm/cascadia v1.3.1/go.mod h1:R4bJ1UQfqADjvDa4P6HZHLh/3OxWWEq
 github.com/armon/consul-api v0.0.0-20180202201655-eb2c6b5be1b6/go.mod h1:grANhF5doyWs3UAsr3K4I6qtAmlQcZDesFNEHPZAzj8=
 github.com/avast/retry-go v3.0.0+incompatible h1:4SOWQ7Qs+oroOTQOYnAHqelpCO0biHSxpiH9JdtuBj0=
 github.com/avast/retry-go v3.0.0+incompatible/go.mod h1:XtSnn+n/sHqQIpZ10K1qAevBhOOCWBLXXy3hyiqqBrY=
-github.com/aws/aws-sdk-go v1.45.2 h1:hTong9YUklQKqzrGk3WnKABReb5R8GjbG4Y6dEQfjnk=
-github.com/aws/aws-sdk-go v1.45.2/go.mod h1:aVsgQcEevwlmQ7qHE9I3h+dtQgpqhFB+i8Phjh7fkwI=
+github.com/aws/aws-sdk-go v1.46.2 h1:XZbOmjtN1VCfEtQq7QNFsbxIqO+bB+bRhiOBjp6AzWc=
+github.com/aws/aws-sdk-go v1.46.2/go.mod h1:aVsgQcEevwlmQ7qHE9I3h+dtQgpqhFB+i8Phjh7fkwI=
 github.com/bearsh/hid v1.3.0 h1:GLNa8hvEzJxzQEEpheDUr2SivvH7iwTrJrDhFKutfX8=
 github.com/bearsh/hid v1.3.0/go.mod h1:KbQByg8WfPr92v7aaKAHTtZUEVG7e2XRpcF8+TopQv8=
 github.com/beevik/etree v1.2.0 h1:l7WETslUG/T+xOPs47dtd6jov2Ii/8/OjCldk5fYfQw=
@@ -178,8 +178,8 @@ github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/
 github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
 github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk=
 github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
-github.com/tidwall/gjson v1.16.0 h1:SyXa+dsSPpUlcwEDuKuEBJEz5vzTvOea+9rjyYodQFg=
-github.com/tidwall/gjson v1.16.0/go.mod h1:/wbyibRr2FHMks5tjHJ5F8dMZh3AcwJEMf5vlfC0lxk=
+github.com/tidwall/gjson v1.17.0 h1:/Jocvlh98kcTfpN2+JzGQWQcqrPQwDrVEMApx/M5ZwM=
+github.com/tidwall/gjson v1.17.0/go.mod h1:/wbyibRr2FHMks5tjHJ5F8dMZh3AcwJEMf5vlfC0lxk=
 github.com/tidwall/match v1.1.1 h1:+Ho715JplO36QYgwN9PGYNhgZvoUSc9X2c80KVTi+GA=
 github.com/tidwall/match v1.1.1/go.mod h1:eRSPERbgtNPcGhD8UCthc6PmLEQXEWd3PRB5JTxsfmM=
 github.com/tidwall/pretty v1.2.0/go.mod h1:ITEVvHYasfjBbM0u2Pg8T2nJnzm8xPwvNhhsoaGGjNU=
@@ -200,8 +200,8 @@ golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnf
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20190911031432-227b76d455e7/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
-golang.org/x/crypto v0.12.0 h1:tFM/ta59kqch6LlvYnPa0yx5a83cL2nHflFhYKvv9Yk=
-golang.org/x/crypto v0.12.0/go.mod h1:NF0Gs7EO5K4qLn+Ylc+fih8BSTeIjAP05siRnAh98yw=
+golang.org/x/crypto v0.14.0 h1:wBqGXzWJW6m1XrIKlAH0Hs1JJ7+9KBwnIO8v66Q9cHc=
+golang.org/x/crypto v0.14.0/go.mod h1:MVFd36DqK4CsrnJYDkBA3VC4m2GkXAM0PvzMCn4JQf4=
 golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
 golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
 golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
@@ -217,8 +217,8 @@ golang.org/x/net v0.0.0-20210916014120-12bc252f5db8/go.mod h1:9nx3DQGgdP8bBQD5qx
 golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
 golang.org/x/net v0.1.0/go.mod h1:Cx3nUiGt4eDBEyega/BKRp+/AlGL8hYe7U9odMt2Cco=
 golang.org/x/net v0.7.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
-golang.org/x/net v0.14.0 h1:BONx9s002vGdD9umnlX1Po8vOZmrgH34qlHcD1MfK14=
-golang.org/x/net v0.14.0/go.mod h1:PpSgVXXLK0OxS0F31C1/tv6XNguvCrnXIDrFMspZIUI=
+golang.org/x/net v0.17.0 h1:pVaXccu2ozPjCXewfr1S7xza/zcXTity9cCdXQYSjIM=
+golang.org/x/net v0.17.0/go.mod h1:NxSsAGuq816PNPmqtQdLE42eU2Fs7NoRIZrHJAlaCOE=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -241,22 +241,22 @@ golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.11.0 h1:eG7RXZHdqOJ1i+0lgLgCpSXAp6M3LYlAo6osgSi0xOM=
-golang.org/x/sys v0.11.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.13.0 h1:Af8nKPmuFypiUBjVoU9V20FiaFXOcuZI21p0ycVYYGE=
+golang.org/x/sys v0.13.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/term v0.1.0/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
-golang.org/x/term v0.11.0 h1:F9tnn/DA/Im8nCwm+fX+1/eBwi4qFjRT++MhtVC4ZX0=
-golang.org/x/term v0.11.0/go.mod h1:zC9APTIj3jG3FdV/Ons+XE1riIZXG4aZ4GTHiPZJPIU=
+golang.org/x/term v0.13.0 h1:bb+I9cTfFazGW51MZqBVmZy7+JEJMouUHTUSKVQLBek=
+golang.org/x/term v0.13.0/go.mod h1:LTmsnFJwVN6bCy1rVCoS+qHT1HhALEFxKncY3WNNh4U=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
 golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
 golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
-golang.org/x/text v0.12.0 h1:k+n5B8goJNdU7hSvEtMUz3d1Q6D/XW4COJSJR6fN0mc=
-golang.org/x/text v0.12.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
+golang.org/x/text v0.13.0 h1:ablQoSUd0tRdKxZewP80B+BaqeKJuVhuRxj/dkrun3k=
+golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
 golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/tools v0.0.0-20180221164845-07fd8470d635/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
diff --git a/pkg/provider/aad/aad.go b/pkg/provider/aad/aad.go
index 0bfb8121f..0a109b8f3 100644
--- a/pkg/provider/aad/aad.go
+++ b/pkg/provider/aad/aad.go
@@ -653,6 +653,11 @@ func (ac *Client) processConvergedProofUpRedirect(res *http.Response, srcBodyStr
 		return res, errors.Wrap(err, "skip MFA response unmarshal error")
 	}
 
+	// 50058: user is not signed in (yet)
+	if convergedResponse.SErrorCode != "" && convergedResponse.SErrorCode != "50058" {
+		return res, fmt.Errorf("login error %s", convergedResponse.SErrorCode)
+	}
+
 	if convergedResponse.URLSkipMfaRegistration == "" {
 		return res, errors.Wrap(err, "skip MFA not possible")
 	}
diff --git a/pkg/provider/aad/aad_test.go b/pkg/provider/aad/aad_test.go
index ca34ddc44..c47e45aec 100644
--- a/pkg/provider/aad/aad_test.go
+++ b/pkg/provider/aad/aad_test.go
@@ -61,6 +61,7 @@ type FixtureData struct {
 	ProofUpToken                          string // UVrFbiiZj6kdD6oWm4k87CkipgjEbKhlq_dKoMTo8p0TRCf4utimEAnOizRQ7qAoHaotT08os5kctHfJhXw7dkactSsYjtYo9Lt_1vlPPmZ8i0FtfrwjMeztp0sMY6PHkfRO_sWIHR2bsvIpjaKqqNTJ8PZCuwNmfR8Tx2Jdud3F1FcUgkF3-MG5omxJR7oaueRn1SvnjR-sWEleKptBqLTFnVwNeY8kVfpiKV4liNACZkWc9N5CJRC7HO4aLHVUkKcWaCERUZWeaHh0Bdk_aHSZFll1C6yBv0v4IIJfTQuCOdRMXmqvSpxpRUcwgZ7vdY6krAYUAV8SG926Fptr3if69AM5GHxKN4AlyNNJZ5ghv0yqwI4aGTg1vsanq0q8ZE80TOCBZdMz39Tr_J5MKMW2HO7lEMPtZYBCYwz3Z4nzbgWo9aB65GcxNcnzXgBMeiwjgxQphpFahbj89Rc8H0PWbN4Yhh-aDlv_UMwd2lp1I98hxdEn-8uA56xCE4l1647RuwSiCIfzE_6dYxXm8Q
 	UserName                              string // exampleuser@exampledomain.com
 	UserNameUrlEncoded                    string // exampleuser%40exampledomain.com
+	SErrorCode                            string // 50058
 }
 
 var fixtureData *FixtureData
@@ -308,6 +309,57 @@ func Test_Authenticate(t *testing.T) {
 		require.Nil(t, err)
 		require.NotEmpty(t, got)
 	})
+	t.Run("Default login with KMSI and MFA but Authenticator required", func(t *testing.T) {
+		ts := httptest.NewTLSServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			switch r.URL.Path {
+			case "/index", "/applications/redirecttofederatedapplication.aspx":
+				writeFixtureBytes(t, w, r, "ConvergedSignIn.html", FixtureData{
+					UrlPost:              "/defaultLogin",
+					UrlGetCredentialType: "/getCredentialType",
+				})
+			case "/getCredentialType":
+				writeFixtureBytes(t, w, r, "GetCredentialType_default.json", FixtureData{})
+			case "/defaultLogin":
+				writeFixtureBytes(t, w, r, "KmsiInterrupt.html", FixtureData{
+					UrlPost: "/hForm",
+				})
+			case "/hForm":
+				writeFixtureBytes(t, w, r, "HiddenForm.html", FixtureData{
+					UrlHiddenForm: "/sRequest",
+				})
+			case "/sRequest":
+				writeFixtureBytes(t, w, r, "SAMLRequest.html", FixtureData{
+					UrlSamlRequest: "/sResponse?SAMLRequest=ExampleValue",
+				})
+			case "/sResponse":
+				writeFixtureBytes(t, w, r, "ConvergedTFA.html", FixtureData{
+					UrlPost:      "/processAuth",
+					UrlBeginAuth: "/beginAuth",
+					UrlEndAuth:   "/endAuth",
+				})
+			case "/beginAuth":
+				writeFixtureBytes(t, w, r, "BeginAuth.json", FixtureData{})
+			case "/endAuth":
+				writeFixtureBytes(t, w, r, "EndAuth.json", FixtureData{})
+			case "/processAuth":
+				writeFixtureBytes(t, w, r, "ConvergedProofUpRedirect.html", FixtureData{
+					SErrorCode: "502031",
+				})
+			default:
+				http.Error(w, http.StatusText(http.StatusBadRequest), http.StatusBadRequest)
+			}
+		}))
+		defer ts.Close()
+
+		pr := &mocks.Prompter{}
+		prompter.SetPrompter(pr)
+		pr.Mock.On("StringRequired", "Enter verification code").Return("000000")
+
+		ac, loginDetails := setupTestClient(t, ts)
+		_, err := ac.Authenticate(loginDetails)
+		require.Error(t, err)
+		require.Contains(t, err.Error(), "502031")
+	})
 	t.Run("ADFS login with KMSI and MFA", func(t *testing.T) {
 		ts := httptest.NewTLSServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 			switch r.URL.Path {
@@ -386,56 +438,57 @@ func writeFixtureBytes(t *testing.T, w http.ResponseWriter, r *http.Request, tem
 	template, err := template.ParseFiles("testdata/" + templateFile)
 	require.Nil(t, err)
 	var tpl bytes.Buffer
-	err = template.Execute(&tpl, urlFixtures(r.Host, variableFixture))
+	err = template.Execute(&tpl, responseFixtures(r.Host, variableFixture))
 	require.Nil(t, err)
 	_, _ = w.Write(tpl.Bytes())
 }
 
-func urlFixtures(host string, urls FixtureData) *FixtureData {
+func responseFixtures(host string, variableFixture FixtureData) *FixtureData {
 	const scheme = "https://"
 	fixtureData := genFixtureData()
-	if urls.UrlFederationRedirect != "" {
-		fixtureData.UrlFederationRedirect = scheme + host + urls.UrlFederationRedirect
+	fixtureData.SErrorCode = variableFixture.SErrorCode
+	if variableFixture.UrlFederationRedirect != "" {
+		fixtureData.UrlFederationRedirect = scheme + host + variableFixture.UrlFederationRedirect
 	} else {
 		fixtureData.UrlFederationRedirect = ""
 	}
-	if urls.UrlSkipMfaRegistration != "" {
-		fixtureData.UrlSkipMfaRegistration = scheme + host + urls.UrlSkipMfaRegistration
+	if variableFixture.UrlSkipMfaRegistration != "" {
+		fixtureData.UrlSkipMfaRegistration = scheme + host + variableFixture.UrlSkipMfaRegistration
 	} else {
 		fixtureData.UrlSkipMfaRegistration = ""
 	}
-	if urls.UrlGetCredentialType != "" {
-		fixtureData.UrlGetCredentialType = scheme + host + urls.UrlGetCredentialType
+	if variableFixture.UrlGetCredentialType != "" {
+		fixtureData.UrlGetCredentialType = scheme + host + variableFixture.UrlGetCredentialType
 	} else {
 		fixtureData.UrlGetCredentialType = ""
 	}
-	if urls.UrlPost != "" {
-		fixtureData.UrlPost = scheme + host + urls.UrlPost
+	if variableFixture.UrlPost != "" {
+		fixtureData.UrlPost = scheme + host + variableFixture.UrlPost
 	} else {
 		fixtureData.UrlPost = ""
 	}
-	if urls.UrlBeginAuth != "" {
-		fixtureData.UrlBeginAuth = scheme + host + urls.UrlBeginAuth
+	if variableFixture.UrlBeginAuth != "" {
+		fixtureData.UrlBeginAuth = scheme + host + variableFixture.UrlBeginAuth
 	} else {
 		fixtureData.UrlBeginAuth = ""
 	}
-	if urls.UrlEndAuth != "" {
-		fixtureData.UrlEndAuth = scheme + host + urls.UrlEndAuth
+	if variableFixture.UrlEndAuth != "" {
+		fixtureData.UrlEndAuth = scheme + host + variableFixture.UrlEndAuth
 	} else {
 		fixtureData.UrlEndAuth = ""
 	}
-	if urls.UrlProcessAuth != "" {
-		fixtureData.UrlProcessAuth = scheme + host + urls.UrlProcessAuth
+	if variableFixture.UrlProcessAuth != "" {
+		fixtureData.UrlProcessAuth = scheme + host + variableFixture.UrlProcessAuth
 	} else {
 		fixtureData.UrlProcessAuth = ""
 	}
-	if urls.UrlHiddenForm != "" {
-		fixtureData.UrlHiddenForm = scheme + host + urls.UrlHiddenForm
+	if variableFixture.UrlHiddenForm != "" {
+		fixtureData.UrlHiddenForm = scheme + host + variableFixture.UrlHiddenForm
 	} else {
 		fixtureData.UrlHiddenForm = ""
 	}
-	if urls.UrlSamlRequest != "" {
-		fixtureData.UrlSamlRequest = scheme + host + urls.UrlSamlRequest
+	if variableFixture.UrlSamlRequest != "" {
+		fixtureData.UrlSamlRequest = scheme + host + variableFixture.UrlSamlRequest
 	} else {
 		fixtureData.UrlSamlRequest = ""
 	}
diff --git a/pkg/provider/aad/testdata/ConvergedProofUpRedirect.html b/pkg/provider/aad/testdata/ConvergedProofUpRedirect.html
index 045e1facd..434af1199 100644
--- a/pkg/provider/aad/testdata/ConvergedProofUpRedirect.html
+++ b/pkg/provider/aad/testdata/ConvergedProofUpRedirect.html
@@ -32,7 +32,7 @@
 <meta name="robots" content="none" />
 
 <script type="text/javascript">//<![CDATA[
-$Config={"urlPostRedirect":"{{.UrlProcessAuth}}","urlSkipMfaRegistration":"{{.UrlSkipMfaRegistration}}","urlMoreInfo":"https://go.microsoft.com/fwlink/p/?LinkId=708614","urlSecurityDefaultsLearnMore":"https://aka.ms/securitydefaults","urlSetUpMfa":"browser://aka.ms/mfasetup","sProofUpToken":"{{.ProofUpToken}}","sProofUpTokenName":"evo_code","sProofUpAuthState":"{{.Ctx}}","sCanaryToken":"{{.Canary}}=6:1","iRemainingDaysToSkipMfaRegistration":10,"iMaxStackForKnockoutAsyncComponents":10000,"fShowButtons":true,"urlCdn":"https://aadcdn.msftauth.net/shared/1.0/","urlDefaultFavicon":"https://aadcdn.msftauth.net/shared/1.0/content/images/favicon_a_eupayfgghqiai7k9sol6lg2.ico","urlFooterTOU":"https://www.microsoft.com/en-US/servicesagreement/","urlFooterPrivacy":"https://privacy.microsoft.com/en-US/privacystatement","urlPost":"{{.UrlPost}}","urlCancel":"https://login.microsoftonline.com/common/reprocess?prompt=select_account\u0026sosid={{.SosId}}\u0026ctx={{.Ctx}}","iPawnIcon":0,"sPOST_Username":"{{.UserName}}","sFT":"{{.SFT}}","sFTName":"flowToken","sCanaryTokenName":"canary","dynamicTenantBranding":null,"staticTenantBranding":null,"oAppCobranding":{},"iBackgroundImage":2,"fApplicationInsightsEnabled":false,"iApplicationInsightsEnabledPercentage":0,"urlSetDebugMode":"https://login.microsoftonline.com/common/debugmode","fEnableCssAnimation":true,"fDisableAnimationIfAnimationEndUnsupported":true,"fAllowGrayOutLightBox":true,"fIsRemoteNGCSupported":true,"desktopSsoConfig":{"isEdgeAnaheimAllowed":true,"iwaEndpointUrlFormat":"https://autologon.microsoftazuread-sso.com/{0}/winauth/sso?client-request-id={{.ClientRequestId}}","iwaSsoProbeUrlFormat":"https://autologon.microsoftazuread-sso.com/{0}/winauth/ssoprobe?client-request-id={{.ClientRequestId}}","iwaIFrameUrlFormat":"https://autologon.microsoftazuread-sso.com/{0}/winauth/iframe?client-request-id={{.ClientRequestId}}\u0026isAdalRequest=False","iwaRequestTimeoutInMs":10000,"startDesktopSsoOnPageLoad":false,"progressAnimationTimeout":10000,"isEdgeAllowed":false,"minDssoEdgeVersion":"17","isSafariAllowed":true,"redirectUri":"https://account.activedirectory.windowsazure.com/","redirectDssoErrorPostParams":{"error":"interaction_required","error_description":"Seamless single sign on failed for the user. This can happen if the user is unable to access on premises AD or intranet zone is not configured correctly\r\nTrace ID: {{.SessionId}}\r\nCorrelation ID: {{.ClientRequestId}}\r\nTimestamp: 2020-01-01 00:00:00Z","state":"OpenIdConnect.AuthenticationProperties={{.OpenIdConnectAuthenticationProperties}}"},"isIEAllowedForSsoProbe":true,"edgeRedirectUri":"https://autologon.microsoftazuread-sso.com/common/winauth/sso/edgeredirect?client-request-id={{.ClientRequestId}}\u0026origin=login.microsoftonline.com\u0026is_redirected=1"},"iSessionPullType":2,"fUseSameSite":true,"isGlobalTenant":true,"uiflavor":1001,"fOfflineAccountVisible":false,"scriptNonce":"","fEnableUserStateFix":true,"fShowAccessPassPeek":true,"fUpdateSessionPollingLogic":true,"scid":1000,"hpgact":2000,"hpgid":1121,"pgid":"ConvergedProofUpRedirect","apiCanary":"{{.ApiCanary}}","canary":"{{.Canary}}=6:1","correlationId":"{{.ClientRequestId}}","sessionId":"{{.SessionId}}","locale":{"mkt":"en-US","lcid":1033},"slMaxRetry":2,"slReportFailure":true,"strings":{"desktopsso":{"authenticatingmessage":"Trying to sign you in"}},"enums":{"ClientMetricsModes":{"None":0,"SubmitOnPost":1,"SubmitOnRedirect":2,"InstrumentPlt":4}},"urls":{"instr":{"pageload":"https://login.microsoftonline.com/common/instrumentation/reportpageload","dssostatus":"https://login.microsoftonline.com/common/instrumentation/dssostatus"}},"browser":{"ltr":1,"Firefox":1,"_Mac":1,"_M98":1,"_D0":1,"Full":1,"RE_Gecko":1,"b":{"name":"Firefox","major":98,"minor":0},"os":{"name":"OSX","version":""},"V":"98.0"},"watson":{"url":"/common/handlers/watson","bundle":"https://aadcdn.msftauth.net/ests/2.1/content/cdnbundles/watson.min_ybdb1ixzkv-fkor2mu6q6w2.js","sbundle":"https://aadcdn.msftauth.net/ests/2.1/content/cdnbundles/watsonsupportwithjquery.3.5.min_dc940oomzau4rsu8qesnvg2.js","fbundle":"https://aadcdn.msftauth.net/ests/2.1/content/cdnbundles/frameworksupport.min_oadrnc13magb009k4d20lg2.js","resetErrorPeriod":5,"maxCorsErrors":-1,"maxInjectErrors":5,"maxErrors":10,"maxTotalErrors":3,"expSrcs":["https://login.microsoftonline.com","https://aadcdn.msauth.net/","https://aadcdn.msftauth.net/",".login.microsoftonline.com"],"envErrorRedirect":true,"envErrorUrl":"/common/handlers/enverror"},"loader":{"cdnRoots":["https://aadcdn.msauth.net/","https://aadcdn.msftauth.net/"],"logByThrowing":true},"serverDetails":{"slc":"ProdSlices","dc":"WEULR1","ri":"AM2XXXX","ver":{"v":[2,1,12621,8]},"rt":"2020-01-01T00:00:00","et":143},"clientEvents":{"enabled":true,"telemetryEnabled":true,"useOneDSEventApi":true,"flush":60000,"autoPost":true,"autoPostDelay":1000,"minEvents":1,"maxEvents":1,"pltDelay":500,"appInsightsConfig":{"instrumentationKey":"{{.InstrumentationKey}}","webAnalyticsConfiguration":{"autoCapture":{"jsError":true}}},"defaultEventName":"IDUX_ESTSClientTelemetryEvent_WebWatson","serviceID":3},"fApplyAsciiRegexOnInput":true,"country":"DE","fBreakBrandingSigninString":true,"urlNoCookies":"https://login.microsoftonline.com/cookiesdisabled","fTrimChromeBssoUrl":true,"inlineMode":5,"fShowCopyDebugDetailsLink":true};
+$Config={"urlPostRedirect":"{{.UrlProcessAuth}}","urlSkipMfaRegistration":"{{.UrlSkipMfaRegistration}}","urlMoreInfo":"https://go.microsoft.com/fwlink/p/?LinkId=708614","urlSecurityDefaultsLearnMore":"https://aka.ms/securitydefaults","urlSetUpMfa":"browser://aka.ms/mfasetup","sProofUpToken":"{{.ProofUpToken}}","sProofUpTokenName":"evo_code","sProofUpAuthState":"{{.Ctx}}","sErrorCode": "{{.SErrorCode}}", "sCanaryToken":"{{.Canary}}=6:1","iRemainingDaysToSkipMfaRegistration":10,"iMaxStackForKnockoutAsyncComponents":10000,"fShowButtons":true,"urlCdn":"https://aadcdn.msftauth.net/shared/1.0/","urlDefaultFavicon":"https://aadcdn.msftauth.net/shared/1.0/content/images/favicon_a_eupayfgghqiai7k9sol6lg2.ico","urlFooterTOU":"https://www.microsoft.com/en-US/servicesagreement/","urlFooterPrivacy":"https://privacy.microsoft.com/en-US/privacystatement","urlPost":"{{.UrlPost}}","urlCancel":"https://login.microsoftonline.com/common/reprocess?prompt=select_account\u0026sosid={{.SosId}}\u0026ctx={{.Ctx}}","iPawnIcon":0,"sPOST_Username":"{{.UserName}}","sFT":"{{.SFT}}","sFTName":"flowToken","sCanaryTokenName":"canary","dynamicTenantBranding":null,"staticTenantBranding":null,"oAppCobranding":{},"iBackgroundImage":2,"fApplicationInsightsEnabled":false,"iApplicationInsightsEnabledPercentage":0,"urlSetDebugMode":"https://login.microsoftonline.com/common/debugmode","fEnableCssAnimation":true,"fDisableAnimationIfAnimationEndUnsupported":true,"fAllowGrayOutLightBox":true,"fIsRemoteNGCSupported":true,"desktopSsoConfig":{"isEdgeAnaheimAllowed":true,"iwaEndpointUrlFormat":"https://autologon.microsoftazuread-sso.com/{0}/winauth/sso?client-request-id={{.ClientRequestId}}","iwaSsoProbeUrlFormat":"https://autologon.microsoftazuread-sso.com/{0}/winauth/ssoprobe?client-request-id={{.ClientRequestId}}","iwaIFrameUrlFormat":"https://autologon.microsoftazuread-sso.com/{0}/winauth/iframe?client-request-id={{.ClientRequestId}}\u0026isAdalRequest=False","iwaRequestTimeoutInMs":10000,"startDesktopSsoOnPageLoad":false,"progressAnimationTimeout":10000,"isEdgeAllowed":false,"minDssoEdgeVersion":"17","isSafariAllowed":true,"redirectUri":"https://account.activedirectory.windowsazure.com/","redirectDssoErrorPostParams":{"error":"interaction_required","error_description":"Seamless single sign on failed for the user. This can happen if the user is unable to access on premises AD or intranet zone is not configured correctly\r\nTrace ID: {{.SessionId}}\r\nCorrelation ID: {{.ClientRequestId}}\r\nTimestamp: 2020-01-01 00:00:00Z","state":"OpenIdConnect.AuthenticationProperties={{.OpenIdConnectAuthenticationProperties}}"},"isIEAllowedForSsoProbe":true,"edgeRedirectUri":"https://autologon.microsoftazuread-sso.com/common/winauth/sso/edgeredirect?client-request-id={{.ClientRequestId}}\u0026origin=login.microsoftonline.com\u0026is_redirected=1"},"iSessionPullType":2,"fUseSameSite":true,"isGlobalTenant":true,"uiflavor":1001,"fOfflineAccountVisible":false,"scriptNonce":"","fEnableUserStateFix":true,"fShowAccessPassPeek":true,"fUpdateSessionPollingLogic":true,"scid":1000,"hpgact":2000,"hpgid":1121,"pgid":"ConvergedProofUpRedirect","apiCanary":"{{.ApiCanary}}","canary":"{{.Canary}}=6:1","correlationId":"{{.ClientRequestId}}","sessionId":"{{.SessionId}}","locale":{"mkt":"en-US","lcid":1033},"slMaxRetry":2,"slReportFailure":true,"strings":{"desktopsso":{"authenticatingmessage":"Trying to sign you in"}},"enums":{"ClientMetricsModes":{"None":0,"SubmitOnPost":1,"SubmitOnRedirect":2,"InstrumentPlt":4}},"urls":{"instr":{"pageload":"https://login.microsoftonline.com/common/instrumentation/reportpageload","dssostatus":"https://login.microsoftonline.com/common/instrumentation/dssostatus"}},"browser":{"ltr":1,"Firefox":1,"_Mac":1,"_M98":1,"_D0":1,"Full":1,"RE_Gecko":1,"b":{"name":"Firefox","major":98,"minor":0},"os":{"name":"OSX","version":""},"V":"98.0"},"watson":{"url":"/common/handlers/watson","bundle":"https://aadcdn.msftauth.net/ests/2.1/content/cdnbundles/watson.min_ybdb1ixzkv-fkor2mu6q6w2.js","sbundle":"https://aadcdn.msftauth.net/ests/2.1/content/cdnbundles/watsonsupportwithjquery.3.5.min_dc940oomzau4rsu8qesnvg2.js","fbundle":"https://aadcdn.msftauth.net/ests/2.1/content/cdnbundles/frameworksupport.min_oadrnc13magb009k4d20lg2.js","resetErrorPeriod":5,"maxCorsErrors":-1,"maxInjectErrors":5,"maxErrors":10,"maxTotalErrors":3,"expSrcs":["https://login.microsoftonline.com","https://aadcdn.msauth.net/","https://aadcdn.msftauth.net/",".login.microsoftonline.com"],"envErrorRedirect":true,"envErrorUrl":"/common/handlers/enverror"},"loader":{"cdnRoots":["https://aadcdn.msauth.net/","https://aadcdn.msftauth.net/"],"logByThrowing":true},"serverDetails":{"slc":"ProdSlices","dc":"WEULR1","ri":"AM2XXXX","ver":{"v":[2,1,12621,8]},"rt":"2020-01-01T00:00:00","et":143},"clientEvents":{"enabled":true,"telemetryEnabled":true,"useOneDSEventApi":true,"flush":60000,"autoPost":true,"autoPostDelay":1000,"minEvents":1,"maxEvents":1,"pltDelay":500,"appInsightsConfig":{"instrumentationKey":"{{.InstrumentationKey}}","webAnalyticsConfiguration":{"autoCapture":{"jsError":true}}},"defaultEventName":"IDUX_ESTSClientTelemetryEvent_WebWatson","serviceID":3},"fApplyAsciiRegexOnInput":true,"country":"DE","fBreakBrandingSigninString":true,"urlNoCookies":"https://login.microsoftonline.com/cookiesdisabled","fTrimChromeBssoUrl":true,"inlineMode":5,"fShowCopyDebugDetailsLink":true};
 //]]></script> 
 <script type="text/javascript">//<![CDATA[
 /* embedded js */
diff --git a/pkg/provider/okta/okta.go b/pkg/provider/okta/okta.go
index d15323a05..7ba794d69 100644
--- a/pkg/provider/okta/okta.go
+++ b/pkg/provider/okta/okta.go
@@ -979,16 +979,22 @@ func verifyMfa(oc *Client, oktaOrgHost string, loginDetails *creds.LoginDetails,
 			duoMfaOptions = append(duoMfaOptions, "Passcode")
 		}
 
-		duoMfaOption := 0
+		duoMfaOption := -1
 
-		if loginDetails.DuoMFAOption == "Duo Push" {
-			duoMfaOption = 1
-		} else if loginDetails.DuoMFAOption == "Passcode" {
-			duoMfaOption = 2
+		if loginDetails.DuoMFAOption != "" {
+			for i, v := range duoMfaOptions {
+				if loginDetails.DuoMFAOption == v {
+					duoMfaOption = i
+				}
+			}
 		} else {
 			duoMfaOption = prompter.Choose("Select a DUO MFA Option", duoMfaOptions)
 		}
 
+		if duoMfaOption == -1 {
+			return "", errors.Errorf("error unsupported MFA option '%s'", loginDetails.DuoMFAOption)
+		}
+
 		if duoMfaOptions[duoMfaOption] == "Passcode" {
 			//get users DUO MFA Token
 			token = prompter.StringRequired("Enter passcode")
diff --git a/pkg/provider/okta/okta_test.go b/pkg/provider/okta/okta_test.go
index be143488b..a45b75d8f 100644
--- a/pkg/provider/okta/okta_test.go
+++ b/pkg/provider/okta/okta_test.go
@@ -3,6 +3,7 @@ package okta
 import (
 	"bytes"
 	"crypto/tls"
+	"encoding/json"
 	"errors"
 	"fmt"
 	"io"
@@ -264,6 +265,262 @@ func TestVerifyMfa(t *testing.T) {
 	})
 }
 
+func TestVerifyMfa_Duo(t *testing.T) {
+	verifyCounter := 0
+	statusCounter := 0
+	ts := httptest.NewTLSServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		switch r.URL.Path {
+		case "/frame/web/v1/auth":
+			query, err := url.ParseQuery(r.URL.RawQuery)
+			assert.Equal(t, url.Values{
+				"parent": {"https://host-from-argument/signin/verify/duo/web"},
+				"tx":     {"TX|blah_tx_blah"},
+				"v":      {"2.8"}},
+				query)
+			assert.Nil(t, err)
+
+			body, err := io.ReadAll(r.Body)
+			defer r.Body.Close()
+			assert.Nil(t, err)
+
+			query, err = url.ParseQuery(string(body))
+			assert.Equal(t, url.Values{
+				"acting_ie_version":           {""},
+				"color_depth":                 {"24"},
+				"flash_version":               {""},
+				"is_cef_browser":              {"false"},
+				"is_ie_compatability_mode":    {""},
+				"is_ipad_os":                  {"false"},
+				"java_version":                {""},
+				"parent":                      {"https://host-from-argument/signin/verify/duo/web"},
+				"react_support":               {"true"},
+				"react_support_error_message": {""},
+				"screen_resolution_height":    {"1692"},
+				"screen_resolution_width":     {"3008"},
+				"tx":                          {"TX|blah_tx_blah"}},
+				query)
+			assert.Nil(t, err)
+
+			_, err = w.Write([]byte(`<!DOCTYPE html>
+			<html lang="en">
+			  <body>
+				<form>
+				  <input type="hidden" name="sid" value="secret_sid">
+				  <select name="device">
+					<option value="phone1"></option>
+				  </select>
+				</form>
+			  </body>
+			</html>`))
+			assert.Nil(t, err)
+		case "/frame/prompt":
+			query, err := url.ParseQuery(r.URL.RawQuery)
+			assert.Equal(t, url.Values{}, query)
+			assert.Nil(t, err)
+
+			body, err := io.ReadAll(r.Body)
+			defer r.Body.Close()
+			assert.Nil(t, err)
+
+			query, err = url.ParseQuery(string(body))
+			assert.Equal(t, url.Values{
+				"device":      {"phone1"},
+				"factor":      {"Duo Push"},
+				"out_of_date": {"false"},
+				"sid":         {"secret_sid"},
+			}, query)
+			assert.Nil(t, err)
+
+			_, err = w.Write([]byte(`{"stat": "OK", "response": {"txid": "txid_1234"}}`))
+			assert.Nil(t, err)
+		case "/frame/status":
+			switch statusCounter {
+			case 0:
+				query, err := url.ParseQuery(r.URL.RawQuery)
+				assert.Equal(t, url.Values{}, query)
+				assert.Nil(t, err)
+
+				body, err := io.ReadAll(r.Body)
+				defer r.Body.Close()
+				assert.Nil(t, err)
+
+				query, err = url.ParseQuery(string(body))
+				assert.Equal(t, url.Values{
+					"sid":  {"secret_sid"},
+					"txid": {"txid_1234"},
+				}, query)
+				assert.Nil(t, err)
+
+				_, err = w.Write([]byte(`{
+				   "stat": "OK",
+				   "response": {
+					 "status": "Pushed a login request to your device...",
+					 "status_code": "pushed"
+				   }
+				 }`))
+				assert.Nil(t, err)
+			case 1:
+				query, err := url.ParseQuery(r.URL.RawQuery)
+				assert.Equal(t, url.Values{}, query)
+				assert.Nil(t, err)
+
+				body, err := io.ReadAll(r.Body)
+				defer r.Body.Close()
+				assert.Nil(t, err)
+
+				query, err = url.ParseQuery(string(body))
+				assert.Equal(t, url.Values{
+					"sid":  {"secret_sid"},
+					"txid": {"txid_1234"},
+				}, query)
+				assert.Nil(t, err)
+				_, err = w.Write([]byte(`{
+					"stat": "OK",
+					"response": {
+					  "status": "Success. Logging you in...",
+					  "status_code": "allow",
+					  "result": "SUCCESS",
+					  "result_url": "/frame/status/txid_1234"
+					}
+				  }`))
+				assert.Nil(t, err)
+			}
+			statusCounter++
+		case "/frame/status/txid_1234":
+			query, err := url.ParseQuery(r.URL.RawQuery)
+			assert.Equal(t, url.Values{}, query)
+			assert.Nil(t, err)
+
+			body, err := io.ReadAll(r.Body)
+			defer r.Body.Close()
+			assert.Nil(t, err)
+
+			query, err = url.ParseQuery(string(body))
+			assert.Equal(t, url.Values{
+				"sid": {"secret_sid"},
+			}, query)
+			assert.Nil(t, err)
+
+			_, err = w.Write([]byte(`{
+				"stat": "OK",
+				"response": {
+				  "cookie": "AUTH|yumyum"
+				}
+			  }`))
+			assert.Nil(t, err)
+		case "/verify":
+			switch verifyCounter {
+			case 0:
+				query, err := url.ParseQuery(r.URL.RawQuery)
+				assert.Equal(t, url.Values{
+					"rememberDevice": {"true"},
+				}, query)
+				assert.Nil(t, err)
+
+				body, err := io.ReadAll(r.Body)
+				defer r.Body.Close()
+				assert.Nil(t, err)
+
+				var requestBody interface{} = nil
+				err = json.Unmarshal(body, &requestBody)
+				assert.Equal(t, map[string]interface{}(map[string]interface{}{
+					"rememberDevice": "true",
+					"stateToken":     "TOKEN_1",
+				}), requestBody)
+				assert.Nil(t, err)
+
+				_, err = fmt.Fprintf(w, `{
+					"stateToken": "TOKEN_2",
+					"status": "MFA_CHALLENGE",
+					"factorResult": "WAITING",
+					"_embedded": {
+						"factor": {
+							"id": "factor_id",
+							"provider": "DUO",
+							"factorType": "web",
+							"_embedded": {
+							  "verification": {
+								"host": "%s",
+								"signature": "TX|blah_tx_blah:APP|blah_app_blah",
+								"_links": {
+								  "complete": {
+									"href": "https://%s/api/v1/authn/factors/factor_id/lifecycle/duoCallback"
+								  }
+								}
+							  }
+							}
+						}
+					}
+				}`, r.Host, r.Host)
+				assert.Nil(t, err)
+			case 1:
+				query, err := url.ParseQuery(r.URL.RawQuery)
+				assert.Equal(t, url.Values{
+					"rememberDevice": {"true"},
+				}, query)
+				assert.Nil(t, err)
+
+				body, err := io.ReadAll(r.Body)
+				defer r.Body.Close()
+				assert.Nil(t, err)
+
+				var requestBody interface{} = nil
+				err = json.Unmarshal(body, &requestBody)
+				assert.Equal(t, map[string]interface{}(map[string]interface{}{
+					"rememberDevice": "true",
+					"stateToken":     "TOKEN_1",
+				}), requestBody)
+				assert.Nil(t, err)
+
+				_, err = w.Write([]byte(`{
+				"sessionToken": "session-token-fffffff",
+			}`))
+				assert.Nil(t, err)
+			}
+			verifyCounter++
+		default:
+			http.Error(w, http.StatusText(http.StatusBadRequest), http.StatusBadRequest)
+		}
+	}))
+	defer ts.Close()
+
+	t.Run("Duo", func(t *testing.T) {
+		oc, loginDetails := setupTestClient(t, ts, "DUO")
+
+		err := oc.setDeviceTokenCookie(loginDetails)
+		assert.Nil(t, err)
+
+		var out bytes.Buffer
+		log.SetOutput(&out)
+		context, err := verifyMfa(oc, "host-from-argument", &creds.LoginDetails{DuoMFAOption: "Duo Push"}, fmt.Sprintf(`{
+			"stateToken": "TOKEN_1",
+			"status": "MFA_REQUIRED",
+			"_embedded": {
+				"factors": [
+					{
+						"id": "factor_id",
+						"provider": "DUO",
+						"factorType": "web",
+						"_links": {
+						  "verify": {
+							"href": "%s/verify",
+							"hints": {
+							  "allow": [
+								"POST"
+							  ]
+							}
+						  }
+					   }
+					}
+				]
+			}
+		}`, ts.URL))
+		log.SetOutput(os.Stderr)
+		assert.Nil(t, err)
+		assert.Equal(t, "session-token-fffffff", context)
+	})
+}
+
 func setupTestClient(t *testing.T, ts *httptest.Server, mfa string) (*Client, *creds.LoginDetails) {
 	testTransport := http.DefaultTransport.(*http.Transport).Clone()
 	testTransport.TLSClientConfig = &tls.Config{InsecureSkipVerify: true}