Comment 2 for bug 1815782

That is correct I was a member of ~canonical, but am not any more.

I'd actually argue that the web login was doing the correct thing. This is because as a user, when logging in I do not see any configuration for 2fa. Whereas the api prompting for 2fa seems wrong since there's no user-facing configuration visible once logged in via login.ubuntu.com showing that I 2fa is enabled.

Another solution would be to fix the UI to check for 2fa being required, and show the auth device configuration tab if it's required. The openid login would have to also be fixed to require 2fa.

I'm not sure what mechanism you use to determine if 2fa is required *(database lookup, launchpad group membership, something else) so take this all with a grain of salt.