If Require2Factor is set, then the user must provide their
static password as a prefix to their HOTP one-time password. The correct
static password is retrieved from 4th field returned by AuthSelect. If
this flag is not set, but the user provides a static password prefix, then
the static password will be checked anyway.