Ok, but that's a bit insufficient: when it creates a JWT, it's in the context of a specific client/application, with some redirect URL('s), designed to give access.
While in these cases, it would have to be a different URL. So Sphinx would need to be able to figure this out and redirect to a different page. But I do not think we can code that, right? I cannot see any way to redirect a user to the TOTP registration page, nor to any other page.
It would also timeout before the user can register. And potentially stop mid-flight, leaving the user stranded, with no way to re-register and no way to proceed forward.
Besides, regardless of 2FA, I cannot see how to nicely create a disabled account. Which is really a necessity, unless I have to define all users in advance, by the admins, manually, which is a more complicated path. It's much nicer to allow users to self-register. But then, if that's a bank account, you do not want to grant them access until after the account has been reviewed by the admins and explicitly enabled.
And the 2FA secrets: where is it stored, can I encrypt it, can I retrieve it later and can I set it initially?
There needs to be a standard way to do all those things...