diff --git a/tf-stage2/keycloak.tf b/tf-stage2/keycloak.tf
index 23d9542cf6bdc4fe492bba741ae8d79ede7b26b1..c0489babdfd67d895c057906786ce6c78e32cafb 100644
--- a/tf-stage2/keycloak.tf
+++ b/tf-stage2/keycloak.tf
@@ -374,20 +374,24 @@ resource "keycloak_authentication_execution_config" "registration_recaptcha_acti
 //      |- External Contributor subflow (A)
 //      |  |- External Contributor conditional subflow (C)
 //      |     |- Condition - User Role (External Contributor) (R)
-//      |     |- OTP Form (A)
 //      |     |- WebAuthn Form (A)
+//      |     |- OTP Form (A)
+//      |     |- External Contributor - Force OTP Setup Subflow (A)
+//      |        |- OTP Form (R)
 //      |- Staff Subflow (A)
 //      |  |- Staff conditional subflow (C)
 //      |     |- Condition - User Role (Staff) (R)
-//      |     |- OTP Form (A)
 //      |     |- WebAuthn Form (A)
-//      |     |- Force OTP Setup Subflow (A)
-//      |     |  |- OTP Form (R)
+//      |     |- OTP Form (A)
+//      |     |- Staff - Force OTP Setup Subflow (A)
+//      |        |- OTP Form (R)
 //      |- 2FA opt-in Subflow (A)
 //      |  |- 2FA opt-in conditional subflow (C)
 //      |     |- Condition - User Configured (R)
-//      |     |- OTP Form (A)
 //      |     |- WebAuthn Form (A)
+//      |     |- OTP Form (A)
+//      |     |- 2FA opt-in Fallthrough Subflow (A)
+//      |        |- Browser Redirect/Refresh (R)
 //      |- Fallthrough Subflow (A)
 //         |- Browser Redirect/Refresh (R)
 //
@@ -612,20 +616,24 @@ resource "keycloak_authentication_execution" "fallthrough_browser_redirect_refre
 // |- IPR External Contributor subflow (A)
 // |  |- IPR External Contributor conditional subflow (C)
 // |     |- Condition - User Role (External Contributor) (R)
-// |     |- OTP Form (A)
 // |     |- WebAuthn Form (A)
+// |     |- OTP Form (A)
+// |     |- External Contributor - Force OTP Setup Subflow (A)
+// |        |- OTP Form (R)
 // |- IPR Staff Subflow (A)
 // |  |- Staff IPR conditional subflow (C)
 // |     |- Condition - User Role (Staff) (R)
-// |     |- OTP Form (A)
 // |     |- WebAuthn Form (A)
-// |     |- Force OTP Setup Subflow (A)
-// |     |  |- OTP Form (R)
+// |     |- OTP Form (A)
+// |     |- Staff - Force OTP Setup Subflow (A)
+// |        |- OTP Form (R)
 // |- IPR OTP opt-in Subflow (A)
 // |  |- IPR OTP opt-in conditional subflow (C)
 // |     |- Condition - User Configured (R)
-// |     |- OTP Form (A)
 // |     |- WebAuthn Form (A)
+// |     |- OTP Form (A)
+// |     |- 2FA opt-in Fallthrough Subflow (A)
+// |        |- Browser Redirect/Refresh (R)
 // |- IPR Fallthrough Subflow (A)
 //    |- Browser Redirect/Refresh (R)
 //