Instead of provider: 'any' I’d like to specify specific factors e.g. ‘One Time Password’, ‘Email’, or ‘Recovery Code’ based on user.metadata. Is this possible?
Unfortunately, this is not possible. The only available MFA providers include any, guardian, google-authenticator, and duo as you have found.
With that, I recommend that you create a feedback request asking to support enforcing a specific MFA factor using Rules.
For now, one possible workaround would be to enable only one MFA factor for your current tenant with your App. Then if other factors are needed, you could use an alternative tenant.
Please let me know if you have any additional questions.