pam_script introduces additional password prompt

[spi43984]

I am trying to setup the following pam process:

1. pam_script checks environment, if return value = 0 than do password auth
2. if return value != 0 then do fingerprint auth

I test this with sudo and polkit-1 (GUI) authentication. The pam config for either service looks like this:

auth    [success=1 default=ignore]      pam_script.so dir=/etc/pam.d/is-locked
auth    [success=2 default=ignore]      pam_fprintd.so max_tries=1
auth    [success=1 default=ignore]      pam_unix.so nullok_secure try_first_pass
auth    requisite                       pam_deny.so
auth    required                        pam_permit.so

What happens now is:
return code != 0:
sudo/polkit-1 pam authentication process shows password prompt and asks for correct password --> that's ok and expected

return code = 0
sudo/polkit-1 pam authentication process also shows password prompt and asks for password and accepts any or empty password, then fingerprint auth gets invoked
--> that's not ok and not expected

If I change

auth    [success=1 default=ignore]      pam_script.so dir=/etc/pam.d/is-locked

to

auth    [success=ignore default=ignore]      pam_script.so dir=/etc/pam.d/is-locked

still the initial passowrd prompt in case of return code != 0 is shown.

In case I change

auth    [success=1 default=ignore]      pam_script.so dir=/etc/pam.d/is-locked

to

auth    [success=ignore default=ignore]      pam_exec.so /usr/bin/echo 123

no additional password prompt is shown.

What am I doing wrong?