In many sites where 2FA is enabled, the login flow is:
- A form asking for username/password
- If credentials are valid a new form asks for the verification code.
However, there are some implementations in where the verification codes are suffixed into the password so the flow is only a single form asking for
Which approach offers better security?