Support two-factor authentication

[nakedible-p]

Currently Krypton support only requires the phone to be unlocked to allow acceptance of an operation - this is kind of two-factor, but not really:

• lock screens are not mandatory
• many users have a setting to keep phone unlocked when on body
• many users have a setting to keep phone unlocked when a certain bluetooth device is near
• lock screen may be opened by a really simple pattern, or perhaps just a swipe

There are many policies which require strict two-factor authentication (such as PCI DSS), which is currently not possible with Krypton.

The proposal would be to add setUserAuthenticationRequired to a key, which allows for either biometric authentication (fingerprint) or secure lock screen authentication (PIN code). Also, setUserAuthenticationValidityDurationSeconds is used to control how long any PIN code authentication is valid. These would need to be set when generating the key.

[kcking]

Agreed, these parameters can also be conveniently set in the team policy in the sigchain. Since they have to be known at key generation time, it might make sense to generate a new SSH keypair for team-related accesses.