Two-factor authentication codes are short and shown as the user types them in so failures should be rare. A dedicated attacker can brute-force them given enough time (the current throttling is 10 per minute, and there are 10^6 possibilities, 3 of which are acceptable, so for a single account there is about 1% chance of success for every 5 hours spent attacking; practically guaranteed success in a month or so). We should have aggressive security alerts (icinga etc) for frequent 2FA failures.
That would require either dedicated logging or improving AuthManagerLoginAuthenticateAudit (which currently only learns the outcome of the login attempt, not the step at which it failed - cf T137194: AuthManager cannot audit passwords) or adding a similar audit hook to OATHAuth.
See also T158379: Warn the user after a certain number of failed 2FA attempts about alerting the account owner.