Verify setup of TOTP

[Firesphere]

As a user, after scanning the QR code in the CMS, I need to enter the TOTP code to update my settings.

ACs:

• There is a field to enter the confirmation code below the QR code
• The TOTP setup is not finished until the code has been successfully entered
• A message below the field displays that the user should submit before the timer on the TOTP app runs out
• The entered code is only validated, not stored
• A valid code sets a flag that marks TOTP as enabled in the background

[brynwhyman]

Should we handle all frontend in the login-forms module? That way we make no assumptions on how someone may want to use this module in the open source world. If so, I'd suggest moving some out of the ACs and tweak others

• There is a field to enter the confirmation code below the QR code (move to login-forms)
• The TOTP setup is not finished until the code has been successfully entered and the page submitted
• A message below the field displays that the user should submit before the timer on the TOTP app runs out (login forms)
• The code timer is able to be consumed by the login-forms module, so that it knows what time limit has been set and can imitate it on the frontend
• The entered code is only validated, not stored
• A valid code sets a flag that marks TOTP as enabled in the background

[Firesphere]

Sorry, this one was for "from CMS only", but yeah, it can partially be included :)

[robbieaverill]

I've labelled this as critical because it seems like a necessary part of the UX flow - it's certainly something I've always seen when setting up MFA for apps in the past