There is a provision in su(1) to ignore the default auth style specified
in /etc/login.conf if you are su'ing to root. It seems unique to OpenBSD.

The effect of this is if the auth-defaults is set to e.g. yubikey or
some other token in /etc/login.conf (with no explicit override for root)
you can still su to root via local passwd by specifying "su -a passwd"
on the command line even though a root login via getty on the console
would be rejected.

This appears to be an explicit design decision introduced over twenty
years ago in v1.47, the idea being if you misconfigured /etc/login.conf
you still have a back way in without having to enter single-user mode to
fix your mess.

The question is: does this still make sense in 2025? This bypass is not
documented in the man pages, not that I could find anyway.