Okay, ‘not nicely’, but it does. And I think you’re so close.
But, before we continue, let me make this quite clear: Schoolmasterly teachings about what my problems are are not very helpful in this context. I am seeing a software that actually does what I expect it to do - just not nicely. I am not complaining, I’m just trying to help, to improve things, to debug.
BTW, you’re of course right, the plugin is not asking for a ‘valid PIN’. I was confused because when an administrator enrolls a PUSH-token for somebody else he can, optionally and for what ever reason, define a PIN. Therefore I was under the impression the plugin was asking for a PIN. Sorry for that confusion.
Okay, I’ve tested the latest version again. This time just with one single PUSH-token existing. The good news is that it’s no longer asking for an OTP. The bad news is, that it doesn’t let me in. It just sits there and waits. And here I repeat myself: It makes things worse.
While the current plugin happily handles both, TOTP and PUSH, even simultaneously, just not nicely, the latest version does not let you in. I think the term ‘worse’ is justified in this case.
So, both versions do not automatically react on the signal that - my wild guess - firebase is sending. And whilst the current version at least leaves the option to trigger the log in with a ‘fake PIN’ the latest version locks you out.
If the current version would do what the latest version is supposed to do (but not does) - i.e. log one in automatically - everything would be perfect. You either hit the button in the authenticator or enter an OTP.