This additional check doesn’t happen when the controller cannot be reached, because the protocol developers assumed that the attacker can’t change the user password stored in the local cache.