Let the user choose (as google does) which 2FA method use after the login with username and password.

Otherwise, you end up in situation like that: https://www.reddit.com/r/Twitch/comments/xfzroj/appeal_to_gdpr/