[ezekg]

In my pseudo-code example, we're raising a couple errors, InvalidSecondFactorError and InvalidPasswordError. You could imagine there could be finer grained errors, such as TotpRequiredError or HardwareKeyRequiredError, depending on the user's second factors, which could then propagate down to the UI via specific error codes.

The UI could then use these error codes to display the correct prompt, and then resend the request with the appropriate second factor.

[nick__m]

You would have to randomize the error when the wrong password is inputed and ensure that for a particular username the returned error is invariant. Else an attacker could infer that when you get a different error you have a correct password.

[ezekg]

The bad password error would only be sent if the second factor is valid, though.