OTP can be bypassed by refreshing on the OTP prompt page..
Has anyone ran into this issue?
On 11.6HF6
If you're at a step in your access policy of prompting for a OTP and the user just refreshes the browser, it bypasses everything else in the polic...