filter authenticate overruled

I have made my own extra security check that used to work with earlier versions. No matter what priority I use with filter authenticate, Cerber semes to overrule it. The idea is if a user misses my extra security check authenticate should return null.
I might be I the wrong forum but I hope someone can help 😊

public function validate_login($user, $username, $password){

	if ($_SERVER['REQUEST_METHOD'] !== 'POST'){
		return $user;
	}

	if (!$user instanceof WP_User){
		return $user;
	}

	if (!user_can($user->ID, 'manage_options')){
        return $user;
	}
	
	if (!isset($_POST["sms_code"]) || empty($_POST["sms_code"])){
	    self::session_end();
	    return;
    }

    $session_data = self::get_user_sms_session();
	
    if ($session_data["user_id"] == $user->ID && $session_data["sms_code"] == $_POST["sms_code"]){
		self::session_end();
        return $user;
    }

	self::session_end();
    return;
}