Google-authenticator-libpam expired user

zypper install google-authenticator-libpam

Created a /etc/pam.d/sshd file with
auth required pam_google_authenticator.so nullok

Linked it to phone app via qr code

the 2fa / mfa part seems to work:
sshd(pam_google_auth)[1313571]: Accepted google_authenticator for <user>
but password seem to fail:

 error: PAM: User account has expired for <user> from <ipv4>
 fatal: monitor_read: unpermitted request 104

Tried this but failed:

sudo pam-config -a --google_authenticator 
 pam-config: invalid option -- --google_authenticator

What is the advised way to have mfa on incoming ssh sessions?