Two autentications on one realm

We would like to adopt the self-rollout of a token into our IDM. To do this, we use the Rest API.
Since the user does not have a token yet, he would have to authenticate himself against the authentication userstorage. But in general we don’t want the user to be able to log in with only one factor to create his second factor (security condition). So the authentication privacyidea is our default configuration for logging in to the WebUI. The login against the authentication privacyidea works only with second factor (even if the user has no token yet). [Here I am not sure if this is the default config or has been overwritten by us].
Therefore we are looking for the possibility to log in with only one factor and roll out an initial token in case the user does not have a “first” token yet.
Our idea was to use the conditions of the policies.
There is a condition that can check the token. But it is not possible to check if there is a token at all. Because this aborts with the error that there is no object.

We would like to have the same for the deactivation/locking of tokens in addition to the rollout, so that the users can deactivate the tokens themselves in a timely manner using a factor.

Does anyone have a solution for this?

Previous idea:
Allow the IDM portal servers to generally use 1FA auth and request a 2FA for certain actions each time. → However, I don’t think this is the best option, because if the portal is hacked, it could be bypassed.
The same applies to a system account for rolling out new tokens on the server.

Welcome katgirl,

finding the best match to configure enollment and recovery processes can be a matter of discussing for hours or days. This is hardly s.th. that will work out in a forum post.
I can only give you some hints.
Consider getting professional help or also listen to my podcast:

This could be done using the passthru policy or a registration token or any other simple initial token.

That’s correct. Your understanding of this policy condition is wrong.
Only use extended policy conditions when you know what you are doing and you read ths docs a couple times.
https://privacyidea.readthedocs.io/en/master/policies/conditions.html

See my generic answer above. Also, you can not have the same, since it is not the same situation with the same parameters. (“User has no token” vs. “User has a token”)

@cornelinux thanks, i had a knot in my head