I have a requirement to implement 2FA. There will be some pages that require 1FA and other pages that require 2FA. So if the user tries to access a page that requires 1FA, they are redirected to external login page (we're using OIDC). Once 1FA authentication is successful, the user is presented with the 1FA page. Next, if the user clicks on a page that requires 2FA, they need to be redirected to 2FA external auth page.
Question is, how do we determine that the page requires 2FA for users that are already 1FA authenticated?
To enforce 1FA, there are couple of ways to restrict page access to authenticated users, such as CUG, or setting explicit authentication requirement through OSGI config in Apache Sling Authentication Service. But now that the user is already logged in, how do we designate that a certain page requires 2FA?