True. In that case what if you check it with OnBeforeShow/AllowAccess or some event like that instead of with the login method? When you refresh or get to another page it will be checked then... 2FA as you have explained is much better, but not everyone has 2FA working.