[soco]

Or the login process should just go ahead and ask the 2FA either way - and just fail you in the end without explaining why. And then notify only behind the scenes via mail that the password was correct but the 2fa wrong. That would be the way to handle it. I'd receive such notifications from time to time - I mix up the 2FA accounts sometimes, other times I'm slow typing and it expires - but I can live with that little extra email.

[Ayesh]

All my TOTP prompts (on websites I run) account for such delays and clock skews by checking against the previous and next TOTP. So even if the user is a little bit late to enter the OTP, I can still validate it and complete authentication.

[throwaway2037]

This is standard practice with big corporate RSA remote login.