Initial support for time based OTP validation

[joamag]

Related #26

Notes

The current implementation is naive in the sense that relies on the defaults of pyotp. It has been verified to work with the "Google Authenticator".

[joamag]

• [x] We still need to show the OTP code generation with no border.
• [x] We still need to allow showing the name of the App for the OTP in the OTP URI to allow simple identification of the app

[joamag]

⚠️ Some quick considerations:

• [x] We cannot use the key as the follow-up token for OTP authentication
  • We should instead change session values (otp.username??) for the sequence, there should also exist a otp.timeout value to prevent OTP auth from taking to long
• [x] The OTP QR code should include the App's name/description
• [x] We need to invalidate username and password API login in case there's OTP
  • People would have to send the otp field additionally via API GET params
• [x] The Social login flow should have a final step for OTP
• [x] The touch_login_s operation should not be performed once the username and password pass but only on _set_session - like in the social login flow