Two-factor authentication (2FA) for Webconfig strengthens access security by requiring two methods to verify a user's identity. Before granting access to resources available via Webconfig, a user will be sent a random code after their username and password credentials have been verified. Failure to provide the correct code within a pre-determined window of time will result in access denial.

This is flawed simply because this allows the attacker to verify that not only is the account name correct but so is the password; what should be happening is in the same fields as the Username and Password that are being passed the code should be right there as well.

User:
Pass:
Code:
[send code]

as well on failure of any one of the credentials should just be a generic "Some of the information being submitted is incorrect" kinda canned response.

It would be greatly appreciated to see this adjusted to make it more secure by generic obscurity in response and lack of validation without all 3 variables correct (providing you have 2FA enabled otherwise just the default U and P required)