In the shipping version of duo.properties, the following "three" configuration keys are defined:
Per duo-authn-beans.xml, the third (duplicated) configuration key should read as "idp.duo.nonbrowser.header.passcode" instead.
This prevents passcode-based non-browser Duo authentication flows from succeeding (since the IdP will default to "auto" instead).
The workaround is trivial: rename the configuration key in duo.properties. This may be the root cause of https://github.com/techservicesillinois/awscli-login/issues/29.