Thank you, Cornelius. I think I get the idea…
I have one more follow-up (related) question: can I have ALL token options behave like the push token does?
Namely: enter Group/Username/Password; the latter as a PIN only. The second window pops up.
In this window you enter your TOTP code, Yubikey hash or press Allow on your mobile when using the push token. And click Continue (if needed)…
As it stands right now, neither TOTP nor Yubikey will work this way…
Maybe this is what duyphung meant by splitting authentication into two windows?