diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 18f478c..d0b0e82 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -54,6 +54,8 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v5
+        with:
+          submodules: "recursive"
 
       - name: Set up QEMU
         uses: docker/setup-qemu-action@v3
@@ -90,3 +92,22 @@ jobs:
             startsWith(github.ref, 'refs/tags/') }}
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
+
+      - name: Extract metadata (tags, labels) for Docker (Email OTP)
+        id: meta-eotp
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}-eotp
+
+      - name: Build and push (Email OTP)
+        uses: docker/build-push-action@v6
+        with:
+          context: ./container
+          file: ./container/Dockerfile.eotp
+          build-args: BASE_IMAGE=${{ steps.meta.outputs.tags }}
+          platforms: ${{ env.PLATFORMS }}
+          push: >
+            ${{ github.ref == format('refs/heads/{0}', env.PUBLISH_BRANCH) ||
+            startsWith(github.ref, 'refs/tags/') }}
+          tags: ${{ steps.meta-eotp.outputs.tags }}
+          labels: ${{ steps.meta-eotp.outputs.labels }}
diff --git a/.gitmodules b/.gitmodules
new file mode 100644
index 0000000..cf8d59a
--- /dev/null
+++ b/.gitmodules
@@ -0,0 +1,3 @@
+[submodule "container/keycloak-2fa-email-authenticator"]
+	path = container/keycloak-2fa-email-authenticator
+	url = https://github.com/mesutpiskin/keycloak-2fa-email-authenticator.git
diff --git a/README.md b/README.md
index e597953..2131252 100644
--- a/README.md
+++ b/README.md
@@ -19,6 +19,10 @@ aws ecr get-login-password --region REGION | podman login --username AWS --passw
 podman push ACCOUNT_ID.dkr.ecr.REGION.amazonaws.com/example/keycloak:YYYY-MM-DD
 ```
 
+## Email-based OTP
+
+A second container is also available (`ecs-keycloak-eotp`) which supports email-based OTP using [keycloak-2fa-email-authenticator](https://github.com/mesutpiskin/keycloak-2fa-email-authenticator).
+
 ## Deployment
 
 Import a HTTPS certificate to ACM.
diff --git a/container/Dockerfile.eotp b/container/Dockerfile.eotp
new file mode 100644
index 0000000..0fbd005
--- /dev/null
+++ b/container/Dockerfile.eotp
@@ -0,0 +1,12 @@
+ARG BASE_IMAGE=quay.io/keycloak/keycloak:latest
+
+FROM maven:3.9-eclipse-temurin-21-alpine AS otp-build
+
+COPY keycloak-2fa-email-authenticator/ /otp-email/
+RUN cd /otp-email && \
+    mvn clean package
+
+FROM $BASE_IMAGE AS target
+
+COPY --from=otp-build /otp-email/target/keycloak-2fa-email-authenticator*.jar /opt/keycloak/providers/
+RUN /opt/keycloak/bin/kc.sh build
diff --git a/container/keycloak-2fa-email-authenticator b/container/keycloak-2fa-email-authenticator
new file mode 160000
index 0000000..2b0d047
--- /dev/null
+++ b/container/keycloak-2fa-email-authenticator
@@ -0,0 +1 @@
+Subproject commit 2b0d047b33d5659391368e48d223fceebcc25723