Hub: Username / password fails with for private repos with "remote: Invalid username or password."

I've been through all the issues here, none seem applicable. I'm just starting with hub, and have tried cloning a number of private repos -- nothing seems to work. I've been through all the open and closed issues here, but none seem to apply. The failure happens very early, and HUB_VERBOSE=1 just gives me some of the setup commands being used. I've verified my username and password, logged-out of the website, and back in. I am using TFA, and that works correctly vis SMS. git works perfectly fine on its own.

System info:

OS X 10.11.4
hub installed via brew

❯ git --version
git version 2.6.4 (Apple Git-63)
hub version 2.2.3

sample output:

❯ HUB_VERBOSE=1 hub clone mshick/private-repo
$ git config alias.clone
$ git config hub.protocol
$ git config hub.protocol
$ git clone https://github.com/mshick/private-repo.git
Cloning into 'arrivals-osx'...
Username for 'https://github.com': mshick   
Password for 'https://[email protected]': 
remote: Invalid username or password.
fatal: Authentication failed for 'https://github.com/mshick/private-repo.git/'

attempting a curl request (spotted in one of the issues) gives this. I don't know that this actually applies to hub though.

❯ curl -u mshick https://api.github.com/user
Enter host password for user 'mshick':
{
  "message": "Must specify two-factor authentication OTP code.",
  "documentation_url": "https://developer.github.com/v3/auth#working-with-two-factor-authentication"
}