Um, I can't detect why a password was not accepted -- whether it's wrong or the user has two-factor enabled.
Surely, since two-factor is off by default, when someone goes to enable it for the first time, he takes a bit of time to learn about it, no? I mean it's all right there on Google's help pages?
PS - I do have info on this in the FAQ.