In bug https://bugster.forgerock.org/jira/browse/OPENAM-12627 it shows the transaction as successful even if incorrect credentials are provided. There is a note from Andy Hall:
Transactional Authorization was designed for Push Authz use-case.
This is fine, but the docs suggest using chains and modules as an alternative to using push notifications, so customers that don't use push notification will hit this bug which we won't fix. I think we should remove any suggestions of using non push authorization in https://backstage.forgerock.com/docs/am/6/authorization-guide/#chap-authz-implementation-transactional
A couple of examples:
For example, they must reauthenticate to an authentication module or respond to a push notification on their mobile device.
The user completes the required actions, for example authenticates to the specified chain, or responds to the push notification on their registered mobile device.
There may be other references in the docs but I haven't fully checked. It may also be worth noting in the docs that this is designed specifically for Push Authorization.