Reauth 2nd factor to change 2FA settings

[iandunn]

Most sites w/ strong 2FA require re-authorizing the 2nd factor in order to make any changes to 2FA settings. Without that, certain types of attacks could disable 2FA, add unauthorized keys, etc.

For convenience, there could be a ~5 minute time window when re-auth isn't required, similar to sudo in Unix-based systems.

Related #476

[dd32]

In order to facilitate this, having a cookie set that contains the last-time that 2FA was processed would be beneficial.

The redirect code in #490 may also be beneficial here, as with some validation of said cookie, could require re-auth to continue.