The approach I am using is to return a flag in the JWT that says that the TOTP is not set up. I then will show a page in the webcore app that will have the QR Code displayed that will enable them to set it up in an authenticator app.
I'm still working my way through this as there are not really enough events on the Sphinx Config that I'd like. In other (non Sphinx apps) we offer the user the option to receive the validation code by Email or SMS rather that use an authenticator app (you'd be surprised how many companies don't use them). So a OnTOTPRequested event would be very useful. see TSphinxConfig event for OnSend2FACode - BIZ / BIZ Feature Requests - TMS Support Center