In order to remove an authenticator they require 2 sequential authenticator codes.

The obvious solution to avoiding a man-in-the-middle attack is, when you fail to authenticate, to wait 30 seconds and completely skip the next code. If it was just a typo, well, you only wasted 30 seconds of your life. If it was a MITM attack, well, you just spent 30 seconds to save a whole bunch of time with their account retrieval team.