User authenticated in any way in the 1st factor, even with neither email nor username identity, should be allowed to use arbitrary 2nd factor (OTP/password/SMS).
This can easily happen when user has only X509 identity, or identifier, and corresponding authN method is used for the 1st factor.
Fixed for SMS and OTP. Passwords and cert credentials should be updated too but that's unlikely to be practically needed (use of them as 2nd factor). Can be fixed later, should be easy now, basing on solution for OTP and SMS.