Bugs in Authentication Agent for macOS
When OTP (one-time password) is enabled for User Portal it causes the Client Authentication Agent for macOS to not work UNLESS the user enters their username and password PLUS their OTP token.
I have tested and confirmed this with Sophos support.
Enabling OTP for the User Portal should have NOTHING to do with the Authentication Agent for macOS. Furthermore the Authenticator agent should never require a OTP. Otherwise the poor user will need to re-enter his or her credentials every time their Mac is rebooted.
Second bug: There is an on-going display issue with the Authentication Agent for macOS. The top of the logo is cut off and wraps around to the bottom of the window. And if your Mac is in Dark Mode you cannot read any of the text inside the Authentication agent window.