Cleaned up the code a bit, also checks TOTP before attemping to verify
user.
This addresses the potential for an attacker to try at a password
and/or confirm that the password is correct unless they have a valid
TOTP code for the request. A failed TOTP response will trigger a
throttle count on the login as well.
