How can validateLoginAttempt work to allow password-only login?

[RealHandy]

I've got meteor-two-factor working, it's great -- but I need to have a person be able to log in without 2FA. I've gone over this and tried a bunch of things, but it seems to me that this line in verifyCodeAndLogin on the server side https://github.com/dburles/meteor-two-factor/blob/c7c645e4da1467d9a74aafe533bdbb67512504cd/server.js#L91 rejects login for lacking 2FA before validateLoginAttempt has ever been called by Accounts_attemptLogin() a few lines later. My code asks for email and password, and when you submit, calls getAuthCode, then shows the 2FA code input field. But no call to validateLoginAttempt has occurred yet when the code asks for the 2FA code, and as mentioned, submitting an empty or wrong 2FA code fails.

What am I missing here? Does anyone have this working? Thanks!