Does sending TOTP code along with username and password defeat the purpose of 2FA?

Question

Related: Implementation flow of MFA with TOTP

I'm trying to implement 2FA with TOTP in my web application.

The implementation I've looked at (the ASP.NET Core implementation of 2FA) does something like this:

1. Check if username and password are correct
2. Generate a cookie that contains the userid of the user that just logged in
3. Redirect the user to a page in which he can insert the TOTP code
4. The TOTP code is sent to the server, along with the cookie generated at step 2.
5. If the userid contained in the cookie is correct (there's an actual user with that userid) and the TOTP is valid the user is authenticated.

For reasons I can't get into I can not implement something like that.

Would an implementation consisting of these steps defeat the purpose of 2FA?

1. Ask the user for username, password and TOTP code
2. If credentials and TOTP are correct, authenticate the user

Answer 1

That should be fine, security-wise.

The reason you see sites prompting for 2FA on a separate page are often due to the way the login process is commonly implemented. You might enter your username/password on one page, but depending on the site you're trying to access it also prompts for your token code. Often the username/password system is something like LDAP, Active Directory, FIDO, etc., but the 2FA system is completely independent and is supplied by a different vendor such as RSA, Thales, Google, github, etc., and has a completely different interface.

It turns out it's also more user-friendly to split the token code from your password. If you make a typo in your password, it will simply prompt you to enter it again. Otherwise if you have to enter both up front, you'll expend the effort to pull out your phone, open the 2FA app, enter your PIN, and then enter the token code, only to find out you mistyped your password and have to do it all over again.