I just stumbled over this question and face the same challenge in our API.

My current idea for implementing this is to respond with a 201 - CREATED which semantically would mean, that a login request was created, but is not yet completed and the user has to do something with it.

With this response I also generate and return a challenge token that must be provided in combination with the two-factor code to another endpoint handling pending two-factor requests. The challenge token must be short lived, about 5 minutes or so.