Misleading error message on incorrect 2FA token.

As mentioned by @consideRatio in #183, it is currently the case that when supplying a correct username/password but an incorrect 2FA token, the error message is "incorrect username or password" nevertheless.

When we rework the 2FA system for 1.2, we should make sure this also gets addressed.
