That matched my experience then, since I’ve not been offered it since and I cannot find anywhere to set it up.
Those sound like annoying UI bugs with the authentication being partly ‘bolted on’ to the usual layout. I hope they can be tidied up.
That would be much appreciated, along with some tidying up and re-thinking of the options available. However it does appear to be a FA threat response which allows FA to reduce their exposure at their back-end, at the unknowable expense of the user’s security at the front-end.