2FA multifactor authentication backend

[tusmester]

Implement multi-factor authentication backend in sensenet.

• [x] global switch for the feature in the repository. This should be a setting, so that it can be different in different subtrees.
  • Optional (default): if enabled on user level, display the 2FA textbox AND the QR code if not configured yet
  • Disabled: no 2FA GUI, log in the user immediately
  • Forced: everybody gets the 2FA gui
• [x] configurable per user. New fields on the User content type:
  • MultiFactorEnabled (default: false)
  • MultiFactorRegistered: a one-time flag that is switched to true when a user first logs in using 2FA, so that next time we do not display the QR code.
  • per-user secret key stored separately (for example as an access token) to generate and validate 2FA code
• [x] new sensenet APIs
  • checking 2FA secret (new Validate method with and without username/pw)
  • GetMultiFactorAuthenticationInfo for getting the effective settings related to the user (e.g. enabled in that subtree). Response:
    • the QR code image url so that clients can display it in an img tag
    • the manual QR code
    • enabled/disabled flags (see above)
  • resetting the code: simply switch the MultiFactorRegistered field off and delete the secret key. This will force the user to register a new QR code next time they log in.
• [x] tests

Admin UI and IdentityServer parts of the feature are in a separate issue.

Switching ON/OFF and regenerate

When a user or an admin switches the per-user switch:

• switching ON: (re)generate a new secret/QR code
• ~switching OFF: clear previous secret/code~

The per-user switch is only for the user. If a global/local setting is set to Forced, the user switch is ignored and 2FA is required.

Recommended package: https://github.com/BrandonPotter/GoogleAuthenticator Implementation: https://dotnetthoughts.net/how-to-implement-2fa-with-aspnet-core-without-identity/