Tracking upstream Iteration 1 issues

[iandunn]

These are upstream issues that we want/need done during the Iteration 1 milestone.

Support hardware keys

#114 was a shortcut for the MVP, but long term we'll want to run

• Add WebAuthn UI stub #87 / Add stub for WebAuthn UI #95
• Build rest of custom UI
• Support WebAuthn two-factor#427 (or propose alternative)
• Remove U2F two-factor#439 (optional, since it will be disabled by Filter which providers should be available to users #14 anyway)
• Migrate U2F keys to WebAuthn two-factor#491 (optional, it doesn't benefit us directly, but is somewhat necessary for the above ones)

Security best practices

• Add rate limiting to two factor attempts. two-factor#510
• Backup Codes: Always generate 10 codes via REST two-factor#514
• TOTP: Enforce single-use of TOTP one-time passwords. two-factor#517
• Reauth 2nd factor to change 2FA settings  two-factor#484
• Core: Reset compromised passwords after 2FA failures two-factor#482
• Standardise on int|WP_User input to the "for user" functions two-factor#535
• Add support for encrypting TOTP secrets two-factor#455 / Encrypt TOTP secrets. two-factor#389
• Add ability to re-encrypt secrets two-factor#456 (optional since we can do it manually if needed)

Misc

• Simplify alternate authentication method link text two-factor#516
• Be more tolerant of user input for auth codes two-factor#518
• Include whitespace between the leading text and the actual input. two-factor#519
• Use simpler/less-technical wording and UI. two-factor#521
• Add unit tests for Two_Factor_Provider::get_code(). two-factor#522
• Tests: Use WordPress 6.1.1 two-factor#524
• Tests: Generate an HTML coverage report when running tests locally. two-factor#525

[iandunn]

I moved some issues that don't seem like a high priority for this iteration to #240. Everything else has either been done, or doesn't need to be.