hmm. I'm not sure I understand your question. But I think you misunderstood the article, I'm not implementing 2FA on the client, but on the server. As I pointed out in the article:

"I want to emphasize all of this should happen on the server! Please don’t pass around secrets on the client-side. "

Secret generation, token generation and validation all occur on the server. And the client communicates via API. You don't want to risk exposing secrets on the client or give any malicious user the opportunity access those secrets through attacks.

I'm not familiar with AES keys, because I haven't personally worked with them. But, if you're validating user login with a secret and key, then that should occur on the server.