...
So it seems best to use the UsernamePassword login handler as well, for any uses that don't require a token. This limits the use of the MultiFactor login handler to those cases where provding an OTP token is in fact strictly required and requested by a Relying Party. Note that Unlicensed user peter had to add a defaultAuthenticationMethod="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport" on the <rp:DefaultRelyingParty> element in $IDP_HOME/conf/relying-party.xml as the MultiFactor login handler took precedence. If you have custom <rp:DefaultRelyingParty> elements defined that may also be necessary for those.
...