New TOTP when none set up

[Firesphere]

As a user
When I select TOTP as my MFA method
I want to be presented with a screen that tells me I have not yet set up TOTP MFA
And be able to scan the QR code and enter the resulting 6 digit code
So I can
Easily set up TOTP without having to go in to the CMS and set up my MFA after logging in

AC's

• User can select TOTP as Second Factor method
• User gets presented instructions and a QR code to scan
• User can scan the QR code and enter the initial code for validation
• User can set up TOTP during the login process
• User can choose not to set up TOTP if the user is in grace period
• The QR code is different each time, until the user sets up TOTP
• Login validates if the entered code is valid for the given (QR-)secret
• Only a valid code continues to log the user in
• An invalid code warns the user the code is invalid
  • The QR code or secret does not change at this step
• A user only has 3 (or more/less, configurable) chances at getting the initial set up code right