there are some good reasons why we are doing this on Authz instead of AuthN that are based on some infra challenges on our side. Caveats seems to be a good approach to work with 2fa according to the documentation and we went that route