If your 2FA options all require the user to enter a code, you can simply display a "Please enter your 2FA code" dialog without divulging what kind of 2FA the user has.
How would you prevent someone from spamming a user just by knowing their username? Say, if the 2FA is done by SMS, or email.
An attacker brute-forcing the password could flood the user with multiple messages. The usual response is doing a password reset, but that wouldn't work in your system.
I wonder how systems that use magic links handle this.
An attacker brute-forcing the password could flood the user with multiple messages. The usual response is doing a password reset, but that wouldn't work in your system.
I wonder how systems that use magic links handle this.