Remove: deprecated native MFA feature

- Context about its deprecation:
  - This feature is under-utilized, and requires further
    maintenance for which our team lacks the resource. (For
    example, this feature is potentially vulnerable because
    a secure Content-Security-Policy cannot be applied to its
    pages without breaking them.) The feature has also been
    marked as "not ready for production" for a few years now.
    So we opt to remove the feature and instead recommend
    using the external IDPs's own MFA features. See more context
    in #2196.
- This commit removes all MFA-specific codes, except for
  the following, on which we will make follow-up commits:
 - README's deprecation notice
 - database operations
 - Content-Security-Policy's exemption toward MFA endpoint (https://github.com/cloudfoundry/uaa/blob/72565fb56cd1f90af499119d32c891937f3c5a76/server/src/main/java/org/cloudfoundry/identity/uaa/security/web/ContentSecurityPolicyFilter.java#L29)
- breaking changes planning: cloudfoundry/uaa-release#739
- Further notes about specific changes in tests:
  - For PasscodeMockMvcTests.testLoginUsingPasscodeWithUnknownToken(), the assertion
    on response code is changed from 401 to 403. This is because 403 was the original
    asserted value before MFA was added (see: 92abee6).
    The 403 response also makes sense in the context of the test (authentication
    present but has insufficient access).

 [#186854489]