Having the input on the login page makes it confusing to users since most don't even know what two factor authentication is. I'm willing to bet more than one person will try and type their password into it.
Basically there should be a configuration option like in Extension:TwoFactorAuthentication that allows moving the token input to a different page (like how Google, Facebook, etc. does it) and the user only sees it if they have it enabled for their account.
Note that in Extension:TwoFactoryAuthentication, this is done in a ambivalent method that doesn't reveal if you got the password or the token wrong. In other words, if you type an incorrect password, it still takes you to the token page.
Version: master
Severity: enhancement