diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c
index 1b5db5c97e..05c73455c1 100644
--- a/src/providers/krb5/krb5_child.c
+++ b/src/providers/krb5/krb5_child.c
@@ -577,6 +577,8 @@ static krb5_error_code request_otp(krb5_context ctx,
         goto done;
     }
 
+    kr->otp = true;
+
     for (i = 0; chl->tokeninfo[i] != NULL; i++) {
         DEBUG(SSSDBG_TRACE_ALL, "[%zu] Vendor [%s].\n",
                                 i, chl->tokeninfo[i]->vendor);
@@ -600,12 +602,9 @@ static krb5_error_code request_otp(krb5_context ctx,
     /* Allocation errors are ignored on purpose */
 
     DEBUG(SSSDBG_TRACE_ALL, "Setting otp prompting.\n");
-    if (kr->otp) {
-        kerr = k5c_attach_otp_info_msg(kr);
-        if (kerr != EOK) {
-            DEBUG(SSSDBG_CRIT_FAILURE,
-                  "Failed to add otp prompting data.\n");
-        }
+    kerr = k5c_attach_otp_info_msg(kr);
+    if (kerr != EOK) {
+        DEBUG(SSSDBG_CRIT_FAILURE, "Failed to add otp prompting data.\n");
     }
 
 done:
@@ -625,7 +624,8 @@ static krb5_error_code answer_otp(krb5_context ctx,
 
     type = sss_authtok_get_type(kr->pd->authtok);
     if (type != SSS_AUTHTOK_TYPE_2FA_SINGLE
-            && type != SSS_AUTHTOK_TYPE_2FA) {
+            && type != SSS_AUTHTOK_TYPE_2FA
+            && type != SSS_AUTHTOK_TYPE_PAM_STACKED) {
         DEBUG(SSSDBG_MINOR_FAILURE, "Unexpected authentication token type [%s]\n",
               sss_authtok_type_to_str(type));
         return ERR_CHECK_NEXT_AUTH_TYPE;