Securely implementing two factor authentication in flask

I have flask-login and an SQLAlchemy db to authenticate user login attempts. But merging username and password inputs with a token-based totp has been the point of my problem. I'm using passlib to manage the totp authentication which has a token generator stored in the database user model.

I first thought of having all the input fields on the same page. Meaning the user would have three fields to complete: username, password, totp token when they visite the login page.

But I wanted the totp token to be displayed on a separate page. So, I subsequently cut the login to two pages. One for the username and password and another for the totp token.

I thought of taking the user's login username and password through the first page, then matching it with the db to see if they were correct and if they where, they would be routed to another page with a totp token input. This page would take the token input and verify it with the database token generated from the user that was entered in the previous page.

It is in creating such a separate route for the 2fa that all my problems arose. For example,

You have to make sure no one could access the 2fa page if they haven't already gone through the login page and successfully entered the right credentials.

You also have to persist the info about who exactly authenticated from the login page into the 2fa page so the token input can be verified with the right user from the db.

And I have no idea how to persist knowledge of who went through the first login step to the second. I first thought of using session storage to store the id of the user when they successfully go through the first login process so the second route could pick up that session and identify who is authenticating. But as cookies go. This isn't that secure.

So how can one securely implement multipage token-based two-factor authentication in Flask?