Additional configuration for hardening 2FA

[zacknewman]

Currently one can require 2FA, disable 2FA remember, and disable certain forms of 2FA; however it would be nice to also be able to disable API log in, device log in, TOTP, and the recovery code in addition to adding WebAuthn attestation capabilities.

By disabling the recovery code, one can enforce the specific forms of 2FA which in cases like WebAuthn are stronger; however with it enabled, the recovery code may be the "weakest" link and thus is more likely to be targeted than the stronger forms of 2FA. The diff to enforce this would be quite simple. Ditto for TOTP, device log in, and API log in. Note one can already disable e-mail, Yubico OTP, and Duo; so this is consistent with those options.

For environments that want to enforce the strongest form of 2FA, WebAuthn, it would be nice if attestation support were added as well. With attestation support, one can not only enforce WebAuthn but also enforce specific WebAuthn providers (e.g., a provider that stores a non-transferable credential in a tamper-resistant secure enclave). For ultra-secure environments for example, any credential that can be transferred to the "cloud" is a non-starter. Unlike the code for disabling recovery codes and TOTP, this would require some more careful planning due to how one would want to model it in the configuration. In my specific case, I've enforced WebAuthn registrations such that only FIDO2 YubiKeys with firmware 5.2.a, 5.4.b, 5.5.c, and 5.6.d can be used; but that might be too restrictive since there are other FIDO2 providers that one may want to enforce.