If another module interrupts during hook_user_login() (such as TFA to redirect to its form) it will break bakery_login() handling (such as error messages but more importantly its subsite redirect).

Bakery could work around this by not deleting the oatmeal (redirect) cookie and picking it back up in bakery_user_login().