You could implement a custom Authenticator to do a similar thing.
We’ve got an Email OTP Authenticator that sends an OTP to the user’s email after the user is identified (either with username or username and password). That might help you get started.
Can you help me understand how the user got the OTP without identifying themselves? I’m not familiar with the Fedora login flow.
Yes it would really be a TOTP. it would be in a authenticator app and password manager. Password managers could fill in all three at once and you can click login
Then you should look at the Authenticators for username/password and otp. You can probably combine those into one custom that will allow you to do both at the same time.
As xgp was saying, customization makes it possible.
Nevertheless, the recommendation is to follow the Identify-First approach. This means the first step is user identification, followed by the appropriate authentication step. It no longer makes sense to do everything at once in the first step.
Turned out they are using LDAP for TOTP and just need the oto concatenated to the password. Here’s what I made for anyone else looking: GitHub - hanthor/almalinux-keycloak-theme
