It's a little confusing how best to use Keycloak and realms; ideally I'd like to have a realm per application or group of interrelated applications, i.e. a realm for JIra, one for gitlab for example, but the fact users can't cross realms would make this difficult, I support you could use a social provider to mitigate setting up duplicate credentials, but I doubt would help with OTP. Is there any proposals about separating the permissions of a user in a realm from their identity, i.e. you could have a global user (same creds and OTP) but where permissions in a realm can be changes independent of the user.

Appreciate your thoughts ..