I need to implement the following use case.

My web application is authenticated against a given realm on keycloak, using a simple user / password authentication model. But a part of my web app would require a stronger authentication mechanism (a second factor in fact) based on the current user.

What's the "best" solution using keycloak ? I was thinking of two different solutions 

1. add an attibute in my OIDC token that could be named "level", and having an adapter that would check the level of the token, and if not corresponding, redirect to the realm that would ask for the second factor of authentication

2. Create a "2FA" realm,that would rely on the simple authentication realm... but is it possible in the same web app (I mean, to use two realms)

Open to any ideas

Thanks 

St