Why do 2FA backup codes use a separate form? We should use one form and fallback to trying the backup code if it's not a normal OTP code.