When credentials fail authentication, Spring Security conventionally throws `BadCredentialsException`. `OneTimeTokenAuthenticationProvider` should catch `UsernameNotFoundException`, wrap it, and rethrow as `BadCredentialsException`.