We chose to keep Stormpath authentication error messages vague in order to better thwart brute-force attacks. This is why you see a generic 400 "invalid username or password" message returned for a variety of reasons.
If the Stormpath API were to report specific reasons for a failed authentication (incorrect password, unverified account, etc.), we would actually be providing attackers valuable information -- that the Account in question exists.
That being said, we sympathize with the frustration a vague error message can cause. While no decisions have been made, we are evaluating this issue internally. Any feedback you’d like to provide is incredibly valuable and we can help you debug at email@example.com
Please refer to our error code documentation for a complete list.