Angular & Asp.Net Core - Enable 2 Factor Authentication

Question

I have a single page application written in angular 7 which communicates with my ASP.Net Core 2.2 Web API server. On login, the user sends his credentials to my authorization server (connect/token) using "resource owner password credentials" grant. I am trying to add 2-factor authentication (SMS), but I can't find any example describing how to do this. All the examples I found were written with MVC using cookies authentication.

I was thinking about this flow but it feels to me there should be a much better way

1. A user enters his user name & password
2. If the user has 2 factors enabled I will send him an SMS with a code. In addition, a limited access_token and id token will be sent to the client. this access_token will be valid only to enable the user to send the 2-factor code. if id-token will have a claim for 'two factors': 'on', I will redirect the user to an SMS confirmations code.
3. The user will send a post request with the code. If the code matche, I will return to the client a new access_token with all the claims.

Answer 1

2FA is a very bad fit for the resource owner password credentials grant (at least, not the standard flavor).

An interactive flow like the code or implicit flows will allow to easily implement that using ASP.NET Core Identity and its default controllers/Razor pages, in a completely standard way.