I am using AWS Managed Microsoft Active Directory for authentication management. I have set up a RADIUS server and linked it with Duo for 2FA.

The authentication process requires a username and password, followed by a 2FA prompt from Duo, which then sends a push notification to the Duo app. However, I have noticed that even when I enter incorrect digits for the 2FA, I still receive the push notification. After approving it, I can still authenticate successfully.

I have already enforced the "Require two-factor authentication" option for both groups and users. What should I implement or update in Duo to ensure that it only accepts valid and correct 2FA inputs, then sends the push notification, and then successfully authenticates users?