Allow TOTP configuration options

[elliot-sawyer]

Certain aspects of the QR code and the authenticator should be configurable by the developer or CMS admin. This list includes:

• length of token (currently defaults to 6)
• Allow freshly expired or upcoming tokens to authenticate, currently not allowed. If the server time or user's time are not exactly synced, validation may fail.
• Some authenticator apps support changing the TOTP algorithm, for SHA1 (default), SHA256, and SHA512. Google Authenticator ignores this, but others may support it.
• Configurable counter and period. Google Authenticator ignores this, but others may support it.
• issuer and label currently defaults to SiteConfig.Title. This is ideally configureable by a CMS admin or via developer config. SiteConfig.Title should be the fallback
• extension hooks:
  • TOTPForm::getFormFields
  • TOTPForm::getFormActions
  • TOTPAuthenticator::validateTOTP
  • TOTPLoginHandler::validateTOTP

Other suggestions welcome in the comments

[elliot-sawyer]

PR for algorithm adjustment: https://github.com/elliot-sawyer/totp-authenticator/pull/10

[robbieaverill]

Labelled as impact/high because configurability is very important for this before stable release