The Resource Owner Password Flow (ROPC) limitations have been something we’ve dealt with ever since the OAuth 2.0 specification was finalized. It was intended to support legacy applications that did not have a browser available or used as a last resort for legacy use-cases. The authors of the specification clearly signal that this flow is not recommended and should be avoided.
Curity’s CTO Jacob Ideskog recently wrote an article outlining that the authentication API may be the answer and how a hypermedia API allows you to perform browserless, multi-factor login from your apps securely.
Have a read of his article ROPC is dead — Long Live the Authentication API here.