This is a variation of FORM authentication and closely related to ELY-508.

The scenario would be prompt for a username, then prompt for a password and if the password is valid and the account supports OTP prompt for the OTP.

The mechanism may also be responsible for sending the OTP but that is probably a side topic.

I have raised this in terms of being a HTTP mechanism but the main point we need to ensure is covered is the requirements about identifying what checks are required for a specific user and tracking they are all complete.