Looks like this is still the case on bionic. It makes no sense to me.
Users using login_duo shouldn’t be able to see the secrets in logins_duo.conf. I don’t see any possible case where this could even work for a host that needs to allow more than one user to log in.