Add 2 factor authentication

Implement a provider for 2 factor authentication (2FA) using one time passwords as described in RFC 2289.

1. It is considered sufficient to provide Time-based One Time Password (TOTP) functionality.
2. It must be possible to recover from loss of the 2FA device by using a fixed set of recovery codes which can be downloaded.
3. Activating 2FA must include a process that provides recover code download and ensures checking of correctly working 2FA functionality.