I have configured a new authentication contract that first uses the secure name/password form and then TOTP.
Works fine and the secret is stored in LDAP.

But I would prefer to have only a user id and no password being entered prior to TOTP.
By using that way I can protect users from being locked via intruder.

Is there a way to configure this ?

I can only find the radius class where i can deselect password required, but that does not help with this.