diff --git a/lib/auth/methods.go b/lib/auth/methods.go
index 9fab2dfc651f9..20d3c6f27b4ce 100644
--- a/lib/auth/methods.go
+++ b/lib/auth/methods.go
@@ -162,6 +162,9 @@ func (s *Server) AuthenticateUser(ctx context.Context, req AuthenticateUserReque
 }
 
 var (
+	// authenticateHeadlessError is the generic error returned for failed headless
+	// authentication attempts.
+	authenticateHeadlessError = trace.AccessDenied("headless authentication failed")
 	// authenticateWebauthnError is the generic error returned for failed WebAuthn
 	// authentication attempts.
 	authenticateWebauthnError = trace.AccessDenied("invalid Webauthn response")
@@ -171,9 +174,6 @@ var (
 	// invalidUserpass2FError is the error for when either the provided username,
 	// password, or second factor is incorrect.
 	invalidUserPass2FError = trace.AccessDenied("invalid username, password or second factor")
-	// invalidHeadlessAuthenticationError is the generic error returned for failed headless
-	// authentication attempts.
-	invalidHeadlessAuthenticationError = trace.AccessDenied("invalid Headless authentication")
 )
 
 // IsInvalidLocalCredentialError checks if an error resulted from an incorrect username,
@@ -208,12 +208,12 @@ func (s *Server) authenticateUser(ctx context.Context, req AuthenticateUserReque
 		mfaDevice, err := s.authenticateHeadless(ctx, req)
 		if err != nil {
 			log.Debugf("Headless Authentication for user %q failed while waiting for approval: %v", user, err)
-			return nil, "", trace.Wrap(invalidHeadlessAuthenticationError)
+			return nil, "", trace.Wrap(authenticateHeadlessError)
 		}
 		authenticateFn = func() (*types.MFADevice, error) {
 			return mfaDevice, nil
 		}
-		authErr = invalidHeadlessAuthenticationError
+		authErr = authenticateHeadlessError
 	case req.Webauthn != nil:
 		authenticateFn = func() (*types.MFADevice, error) {
 			mfaResponse := &proto.MFAAuthenticateResponse{