The museum server's EmailAuthorizationResponse declares passkeySessionID, accountsUrl, twoFactorSessionID, and twoFactorSessionIDV2 without `omitempty`, so Go always sends them, as "" when unset. The previous mock omitted the unset fields entirely, which let the ?? -based dispatch pass in tests while the real server's "" defeated it and dual-2FA logins fell through to the unsupported passkey branch.