OTP after authentication

Can I chain authentication flows? I’d like to authenticate a user and then, conditionally, at a later time require them to pass the OTP flow.

I’m thinking that if I create a customer flow with the first action of Cookie that will result in a user being identified and then for the second action require OTP?

Any suggestions would be helpful, I’m in the process of playing around with flows in a sample application.

OK, I’ve prototyped this solution and it’s working.

I’ve created a custom RealmResourceProvider that’s serving up a RESTful TOTP resource for a user.

I’ve got an endpoint that returns that current status of the user’s OTP config (showing the secretKey if they’re setup or providing what I need to show a QR code if not).

I’ve got another endpoint that will validate the TOTP and optionally register a new OTP Credential for the user in the same way that the Accounts page would.

All of these endpoints authorize with the user’s Bearer Token so I can take the user to a page on my website and use AJAX requests to request the data from Keycloak, optionally show the QR Code for setup, and accept the TOTP value.

I’m reviewing this solution with our security team but looks promising.