[xwx]

If I've understood the linked post, the login panel doesn't have to behave or look different if someone gets the username and password right. You could still show everyone the 2FA input.

It's suggesting that if the username and password are right but 2FA isn't the system should let the account owner know.

[Rygian]

I have read the linked post too quickly before sending my initial comment. Indeed, a back-channel notification to the legitimate account owner is probably a good idea.

On the other hand, disclosing to the attacker that they got the password right is not acceptable.

[runlevel1]

Correct. The blog suggests letting them know out-of-band, like via email, not in the login flow.