Lonestar
Stop calling this MFA. Ever notice how Google identifies this as 2-Step Authentication? Real MFA requires both authentication factors to be submitted at the same time, not “yeah your password is right, now guess this code.” There’s a reason for that. (Hint, you never know if you really know if the cracked password you have is still valid.)
Furthermore MFA requires the factor to be something of different nature. I know you think that it’s “something you have” but it’s really a shared secret, more akin to a key than anything else.