Discovered this issue while testing keyserverAuth-based recovery. We should wait until a non-cancelled recovery fails in order to invalidate the session.
I suspect I hadn't encountered it in prior testing because before introducing keyserverAuth to the dep list, the recovery was unlikely to get cancelled before it ran its course.