* Don't allow for plain username/password authentication when 2FA is enabled
* Removed debugging statement
* Don't assume a token belongs to a given user, handle two-factor errors properly
* Simplified user/token matching, refactored error handling for two-factor authentication
* Change authentication response to avoid bruteforcing
* Add TODO item as a comment for changing the response for security purposes