Interesting- I think that is the first time I've seen password and 2FA code on the same page. Guess that means you may not know if your password or 2FA code is incorrect depending on the error page
Or the login process should just go ahead and ask the 2FA either way - and just fail you in the end without explaining why. And then notify only behind the scenes via mail that the password was correct but the 2fa wrong. That would be the way to handle it. I'd receive such notifications from time to time - I mix up the 2FA accounts sometimes, other times I'm slow typing and it expires - but I can live with that little extra email.
All my TOTP prompts (on websites I run) account for such delays and clock skews by checking against the previous and next TOTP. So even if the user is a little bit late to enter the OTP, I can still validate it and complete authentication.
