Just my opinion but you shouldn’t do this. You are just giving people a possible attack vector. Sometimes an obscure message is just the way you want to go.
But, if you really want to do this you could for example create your own API endpoint and check it there while they are typing or implement your own authenticator