This is a great module, I like it a lot. Just wondering if we could make it optional on a site to users whether they want to use Two-Factor-Auth or not individually.
In other words, login without a code is generally possible. If, however, a user wasd conerned about his/her privacy they could setup their user account to make use of TFA. From then on, login only works with the code.
In such an environment we should consider what to do with the login form: either the field for "Code" stays in the form always and gets some description on what it means and that users can leave it empty if they haven't setup TFA for their account. Or we make the login process a two step process where the login form doesn't have that code field and instead, if a user logs in who has TFA enabled, then another form pops up that asks for the code. I guess this is how Google does it.
What do you think? If you were OK with that suggestion I consider writing the code and submit a patch for it.