You need to do this in keystone, since horizon doesn't maintain any user data. BTW you need keystone v3 to do this. V2 authentication is not pluggable

1) Add an auth plugin -- say OTP

2) Implement OTP functionality ( https://github.com/nathforge/pyotp )

3) Horizon needs to get username/pwd + otp value for login and pass it to keystone

4) Now your request to keystone will include 2 methods .

{ "auth": {
    "identity": {
      "methods": ["password" , "OTP"],
      "password": {
        "user": {
          "name": "admin",
          "domain": { "id": "default" },
          "password": "adminpwd"
        }
      },
      "OTP" : {
         "otp_value" : "342342343"
      }

    }
  }
}'

This should give you a rough idea