Imagine we have 2 groups:
standardUsers members only have an id and a password as credentials.
but authorizationUser do have a 2FA when they self-create their account or their account is created.
Of course since the members of authorizationUsers group are only a few, we could plan a manual creation but I ask this question in the context of a delegation (of authorizationUsers members).
I’m replying to myself
I think I found what I was looking for thanks to Thomas Darimont.
It’s not exactly what I was seeking but it’s not very far.
This extension allows to modify the way a client is reached by introducing in the workflow (Browser for example) a group belonging.
That could play the game for me if there were 2 different clients but that’s not the case: it’s the same client with different pages (example of a wordpress site and an access to /wp-admin).
In my use case, the group belonging is NOT a trigger to go farther in the workflow it’s a matter for enabling another mean of authentication.