This first browser slice uses one form for username, password, and TOTP while still enforcing the underlying primary-auth and second-factor boundaries.