Require OTP for Webui if one exists

Q: “What if…?”
A: “Well, everything is fine, then!”

The policies @aauer mentioned define, that the user should be authenticated against privacyIDEA (webui policy loginmode) and how the user should then be authenticated (passthru and also otppin).

Your question is very vague. So you might need to elaborate on your question.

(You might want to read this post)