Extending on_after_login to check for the OTP would work in theory I think, but it happens only after the token is written to the DB and it's almost ready to be returned, so not ideal. Also to check the OTP there, you'd have to grab it from the Request object directly, which won't be typed or show up in the api docs, since the login route won't have any reference to the OTP.

Rewriting the login method in the auth backend has a similar issue as above, but can work a little better because you can add for example a Header dependency to the strategy, I guess something like:

def get_database_strategy(
    access_token_db: AccessTokenDatabase[AccessToken] = Depends(get_access_token_db), totp_header: Header
) -> DatabaseStrategy:
    return MyDatabaseStrategy(
        access_token_db, lifetime_seconds=get_config().ACCESS_TOKEN_EXPIRE_SECONDS, totp=totp_header
    )

Then you could access it from inside the login method as it receives the strategy. But this would mean raising an HTTPException from login if the OTP is missing from the header or if the OTP is wrong.

And finally, both of these options require that you need to somehow send the username, password and OTP to the /login endpoint. But if 2FA is optional in your app, you have no way to know before login that a user has 2FA enabled or not. You should not have a way to check that, as it's a security issue. So this means that if your request to /login with username and password failed with some error that tells you 2FA is enabled, then you'd have to send another request to /login with username and password again alongside with OTP. But you should minimize the amount of times you send the user's password around.

Here's what I did:

• I have another flow for activating 2FA that includes writing is_2fa_enabled=True in my User table. It will also store a totp secret which can be used with the pyotp package.
• In my UserManager, I extend the authenticate method to also check if 2fa is enabled AFTER username and password are authorized. If it's enabled, then raise a 401 and return a temporary short-lived token (e.g. jwt) that should only be stored in memory in the frontend:

    async def authenticate(self, *args, **kwargs) -> Optional[User]:
        user = await super().authenticate(*args, **kwargs)

        if user and user.is_2fa_enabled:
            raise HTTPException(
                status_code=status.HTTP_401_UNAUTHORIZED,
                detail={
                    "error": "MFA_REQUIRED",
                    "mfa_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",  # TODO
                },
            )

        return user

Raising HTTPException above is not super ideal since it's not listed as a possible response in upstream /login, but can't change that unless you extend get_openapi_login_responses_success from the transport. But it's not really a success response, so again not ideal.

• In the same UserManager, I also add a authenticate_mfa method that takes username, token and totp (or whatever you're using for mfa), and validates the token and otp (using pyotp). Here, we assume that if the user holds a valid mfa_token, then their username and password have already been authorized previously, so we don't need to see the password again.

    async def authenticate_mfa(
        self, username: str, mfa_token: str, totp_code: str
    ) -> Optional[User]:
        try:
            user = await self.get_by_email(username)
        except fastapi_users_exceptions.UserNotExists:
            return None

        if (
            user.is_2fa_enabled
            and mfa_token == "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."  # TODO
            and totp_code == "123456"  # TODO
        ):
            return user

        return None

• Finally, add a new endpoint to the auth router (or another router) to handle mfa authentication:

class MFALogin(BaseModel):
    username: str
    mfa_token: str
    totp_code: str


@router.post(
    "/login_mfa",
)
async def login_mfa(
    request: Request,
    user_manager: DBBoundUserManager,
    mfa_login: MFALogin,
    strategy=Depends(auth_backend.get_strategy),
):
    user = await user_manager.authenticate_mfa(
        username=mfa_login.username, mfa_token=mfa_login.mfa_token, totp_code=mfa_login.totp_code
    )

    if user is None or not user.is_active:
        raise HTTPException(
            status_code=status.HTTP_400_BAD_REQUEST,
            detail=ErrorCode.LOGIN_BAD_CREDENTIALS,
        )
    if not user.is_verified:
        raise HTTPException(
            status_code=status.HTTP_400_BAD_REQUEST,
            detail=ErrorCode.LOGIN_USER_NOT_VERIFIED,
        )

    response = await auth_backend.login(strategy, user)
    await user_manager.on_after_login(user, request, response)
    return response

The above is a replica of the login router found in https://github.com/fastapi-users/fastapi-users/blob/master/fastapi_users/router/auth.py#L44-L69
This is required because authenticate() exits the login router before doing the on_after_login, is_active and is_verified verifications.
It is not ideal since it means that if the upstream implementation of the login route changes then this methodology will either be affected, or things will break or be missing in login_mfa that might be important.

It seems to be working for me, but I'd love to hear opinions on a better method or if there's some issue with my approach.

Ideally, I think fastapi-users should let one override the credentials type (instead of having justOAuth2PasswordRequestForm hardcoded). I think that would be enough to implement the whole flow as you could just have two separate routes with two separate user managers (one for mfa and one for oauth), each with their own authenticate method that would receive the correct kind of credentials and validate accordingly.