Instead of completely giving up on the first failure, ask for
credentials as long as we fail to authenticate.