Use time-based authentication codes

[mattmueller]

This changeset reworks the manner in which secondary authentication codes are generated and verified. Much of the work is based off of this article.

This has the following benefits:

• Gem is now much closer to compliance with RFC 6238 with the ability to be fully compliant based on how it is implemented.
• Google Authenticator is now supported as a mechanism by which one-time codes can be retrieved.
• Some level of testing is introduced.

This is definitely a breaking change so would require a major version bump - would love to hear any thoughts and welcome any additional changes to this PR.

[Houdini]

Thanks, I didn't notice this commit 8 days ago, I'll check it in close 2 days

[mattmueller]

Sounds great - thanks!

[Houdini]

Ok,
I really like your commits in the way they modify library.
Special thanks for specs :)
However I also don't like

• User should added both has_one_time_password and devise :two_factor_authenticatable
• Some question are still open. How server will share secret with user? I'm absolutely sure that gem have to answer to this question. One solution: when user has no otp_secret_key, then gem renders intermediate page with form where user can submit secret or accept server's one.
• What if user has no top-class smartphone and he can't use google authenticator. I want to say that sms is still simple and good way for two_factor_authentication without time limits.

[Houdini]

Your commit gave me power to return to gem development and I'd like to complete it.
Could you give me an advice about sharing secret between user and server? What's the best way?