[qwertox]

That's a neat hack if you only have one input box. But all the extra code on the backend needed to differentiate between a normal password and a password+pin sounds like something which could accidentally weaken security.

[dzhiurgis]

It's really not that complicated given it's a fixed 6 digit appendage

[garmaine]

A secure app shouldn’t be sending passwords in the clear though.

[mc32]

Maybe they’re leveraging radius for some of of that?

[Fnoord]

Or PAM, or BSD_Auth, or AD, or ... there's a lot of options.

Supposedly they can also see which capabilities the client has, allowing the fix server side. Why they did that we can only speculate, same with why its not well known.

I can imagine an engineer with a kid who got a handmedown from mom/pop, and they silently fixing it this way because its within their expertise.

I'd like to hear the authentic story behind it. Hopefully one day!