I am creating this discussion in regard to the 2FA authentication I found in the Adobe HELPX page.  - Setting up two-factor authentication for Adobe Experience Manager
Just so you know, we are using your module for AEM 6.1 for our client’s 2FA requirement.
The module seems to work fine, except that we are "intermittently" experiencing that the login page throws a 403 error - after a user submits correct credentials. What happens is, it shows a 403 error page instead immediately after the user clicks "Sign-in" button, not redirecting users to /libs/cq/core/content/welcome.html subsequently. Strangely, when we type the aforementioned link on the browser manually, e.g. https://author.local/libs/cq/core/content/welcome.html, the user gets no issue accessing the welcome page. This implies that the login process was actually successful, but there is an issue with the redirection.
FYI, we found an warning message in the logs when it occurred:
*WARN* [qtp933178697-315] org.apache.sling.auth.core.impl.SlingAuthenticator handleSecurity: AuthenticationHandler did not block request; access denied  
We also noticed that this occurs in all browsers - not limited to a particular browser.
We wonder if anyone also encounters the same error. We’d really appreciate it if you could share or advise us of possible solutions for this.
We look forward to hearing from you soon.
WHen this article was written (which was submitted from one of our super users) a while back, we tested it. I do not recall seeing the situation that you are describing. I will look at this again in AEM 6.1 and see if i can reproduce your issue.
That's the existing issue with code for 6.1 on community. I have seen it and fixed while refactoring it for 6.4 here https://helpx.adobe.com/experience-manager/using/twofactor64.html
Would recommend to take auth handler code from here and keep everything but annotations
We managed to resolve this issue by adding an entry in sling.auth.requirements in Apache Sling Authentication Service.
In our case, a number of files were not loading correctly in the login page, which is believed to be the cause for this problem. FYI, we were experiencing a similar situation as this post. AEM 6.3 author instance returns 403 for clientlibs and j_security_check