I realise this is a little late but I thought I'd post it nonetheless for anyone who is interested.
The entry in /etc/webmin/miniserv.users should be a TOTP secret in Base32 format.
So to log in simply run :
oathtool --totp -b 'SECRET' -v
Where SECRET
is the code between the quotes and it will spit out your Two-factor token enabling you to log in.
The -b says your giving it the SECRET
in Base32 (Hex is the default).
Then goto "Webmin->webmin Users" to disable TFA and re-enable it in the normal way.
Or if you want, you can use "qrencode" to re-create your google-authenticator setup without having to change the secret (handy if a group are sharing the same SECRET ...bad idea!! but this will save your bacon if one of you gets locked out).
$ qrencode -o ~/.totp-key.png "otpauth://totp/?secret=BASE 32 SECRET&issuer=Your name, etc."
NB. "oathtool" using the -v option allows you to see the SECRET in both Base32 and HEX so you can use either as necessary to setup any TFA app.
Also ensure that the machine you use has it's time sync'd correctly!
QED.