Which RADIUS Server are you using?
I think that "OTP Challenge: 050989" prompt is coming from your RADIUS Server when it replies with a RADIUS Access-Challenge in response to View Connection Server RADIUS Access-Request. The prompt text comes from the RADIUS Reply-Message (attribute 18) in the challenge which contains text that should be displayed to the user.
The problem with View Clients prior to 2.3 is that prompt text (RADIUS Reply-Message) for next code coming from the RADIUS server was not displayed by the client and so the client just used a generic "Enter your next xxx response ..." prompt. In some situations this generic prompt was confusing or did not contain sufficient information for the user to know what to do. This problem was certainly corrected in the 2.3 clients so that it does now display the proper Reply-Message.
The View Connection Server (or View Client) doesn't know the next code value so it must be coming from your RADIUS server, which is odd. It may be that this is configurable on your RADIUS Server so that you can specify a more appropriate Reply-Message to users. e.g. "Enter the 6 digit code from your SMS text message" instead of it sending the actual code.
There is no need for a RADIUS Server to send the actual code out in a prompt. The code should only be sent via SMS so that there is the assurance that the user with their cell phone is the person logging on.
As you say, if the Reply-Message prompt sent by the RADIUS server contains the code, it would allow someone to log on with just the initial password, which is not good. Double check your RADIUS Server config.
Mark