It’s good to keep in mind that while it does improve the overall security of the account, a 2FA/TOTP code can still be phished, so if the user encounters a fake login page and supply his password and 2FA code, it could let an attacker pass the intercepted credentials to the real login page in the background and gain access. Most websites using TOTP will not allow reusing a code more than once in the same time slot, but that’s a moot point if the 2FA code is intercepted without being entered on the legitimate website, but in your case of making a demonstration that would not be a security concern.

It’s important for the user to ensure they’re accessing the legitimate website before typing any credentials and 2FA code.

A safer option nowadays is FIDO2/Passkeys, which will not provide a valid 2FA challenge-response in the case of a spoofed/phishing website, further reducing the possibility of a breach.