Add back the password as the hook will provide it

class-two-factor-core.php

@@ -689,7 +689,7 @@ public static function destroy_current_session_for_user( $user ) {
 	 *
 	 * @return WP_User|WP_Error
 	 */
-	public static function filter_authenticate( $user, $username ) {
+	public static function filter_authenticate( $user, $username, $password ) {
 		if ( strlen( $username ) && $user instanceof WP_User && self::is_user_using_two_factor( $user->ID ) ) {
 			// Disable authentication requests for API requests for users with two-factor enabled.
 			if ( self::is_api_request() && ! self::is_user_api_login_enabled( $user->ID ) ) {