Add support for FIDO2 WebAuthn MFA

[ALescouet]

Add Okta FIDO2 WebAuthn workflow as a possible second factor using the fido2 python library.

Use --factor-priority webauthn to change this new factor priority.

Signed-off-by: Alexis Lescouet alexis@lescouet.com

[ALescouet]

@zdave What are your thoughts on this PR? I couldn't test with other hardware tokens but it works with the Yubikey 5, I also own an older yubikey 4 that I could test with if you feel that is needed.

[zdave]

I don't have access to a GlobalProtect+Okta VPN any more, so I can't really test anything. I'd be happy to submit this if it's working for you though. A few comments:

• If you're going to use click.echo and click.prompt it would be good to convert the existing print/input calls to use these too.
• I would make the fido2 import optional, like pyotp is, so people don't need to install it unless they want to use it.
• There's quite a bit of FIDO2 MFA logic so I would pull it out into its own function.
• The websafe_decode(websafe_encode(obj)) bit in the b64 function seems like a no-op. If it isn't, should add a comment explaining what is going on!

[ALescouet]

@zdave Thank you for reviewing this PR. I think I addressed all your comments, please tell me if anything else needs modifying.