Add support for 2FA using Duo.com

[jevonearth]

Add two factor authentication support to that auth daemon using Duo.com

Supporting documentation:

https://duo.com/docs/authapi-guide

• Duo support can be enabled/disabled using a config file flag.
• Enrollment flow that displays QR code. User is expected to install or already have installed the Duo mobile app.
• Ability for an existing user account to enable 2FA (Clarification of flow/policy needed)
• Add a duo_2fa property to config.yaml

  duo_2fa:
  integration_key: <INTEGRATION_KEY>
  secret_key: <SECRET_KEY>
  api_hostname: <API_HOSTNAME>

  We might want to allow storing the secret using HashiCorp Vault when #7 is ready

Unknowns/needs research

Can we manually add accounts in Duo, and they match up to users based on email address? There's an enroll endpoint allowing users to match their duo account with our (this) application.

[carte7000]

Here is the duo go client https://github.com/duosecurity/duo_api_golang which is incomplete but might be useful for reference.