...
A malicious party could still alter the username, preventing which would require server-side measures (e.g. a post-flow step in the MFA Flow, or a post-login authentication flow). However, there is typically no need to worry about that add those since the service provider is responsible for determining the strength of the authentication required.
...