Deprecate TOTP as a 2nd factor

[zmb3]

          I think we should gradually deprecate TOTP from the product, as Webauthn has gained wide adoption.

Originally posted by @klizhentas in https://github.com/gravitational/teleport/issues/20540#issuecomment-1403036035

[webvictim]

Is the idea that we should just allow the use of no second factor at all when the user's browser doesn't support webauthn or they don't want to use it?

TOTP isn't elegant but it does have the advantage of being portable and easy to understand. It also requires no configuration, whereas Teleport still isn't smart/opinionated enough to set its own public address (see #4864)

By all means we should strive to make webauthn the default but I think fully deprecating TOTP is likely to cause confusion. Not everyone is an advanced user who keeps up with the times.

[klizhentas]

@webvictim that's a good point, let's consider this a tracking issue. Let's collect the impact first:

https://developers.yubico.com/WebAuthn/WebAuthn_Browser_Support/

It seems like most desktop browsers are OK with webauthn, while not all mobile browsers are ready for it yet. Let's review the impact if we disabled TOTP and only worked with webauthn and passwordless.

[gabrielcossette]

I believe TOTP should be kept, as this is a nice failsafe in case a user doesn't have his Webauthn-compatible device with him at the time.

[klizhentas]

That's a reasonable argument, however with the rise of phishing, we have no choice but to deprecate password-only and TOTP flows to protect critical infrastructure.