When a user logs in with a username and password, when such password is stored in our database (using bcrypt), the number of rounds used can introduce a significant delay in password validation.
Since the validation job can be dispatched, the duration of this validation can happen in the background. During this time, the user could be requested to enter an OTP. Even so, a fast user may be too quick to have the credentials validated.