In most common web applications that support multi-factor authentication the user is first prompted for their username and password, and only after a successful first authentication the user is prompted for their TOTP token.
Why is that? Are there any security implications against prompting for all three at once, if validation happens in the traditional order (e.g. first username/password, then TOTP)?
I am aware that doing this might affect user experience, e.g. if a user mistypes his password, he would have to re-enter the TOTP token, and if the token was incorrect, a user should re-enter his username and password again. So, maybe it's less user friendly for users who input incorrect information, but I'm curious if there are security reasons not to do this.
