Secure "Reset Credentials" flow with TAN

Hello all,

I have the following problem:
the login process in keylcoak should be additionally secured by a so called TAN. For this purpose, I have implemented my own authenticator (“TanAuthenticator”, implementing “Authenticator, AuthenticatorFactory”) and integrated it into the authentication flow “Browser”, so that it is executed after “Username Password Form”.
This works fine as expected.

But if I add the “TanAuthenticator” to the flow “Reset Credentials” …

… and want to execute it after “Reset Password”, then during the “Password Reset” process the TAN query appears first and only then the query for the new password! The peculiarity is that after successfully setting a new password, you are logged in and redirected to the target URL.

Does anyone know something about this and can help me?