Support MFA

After #18.

All user's authentication mechanisms are then made available. And once one is used (and correctly authenticated) only those available for the user are made available.

Organizations should be able to require MFA.

Allow configuring authentication mechanisms as satisfying MFA by themselves. Make SIPASS be one such.

In the future we could satisfy that by 3rd party providers by information returned from them based on which authentication mechanism was used for 3rd party provider itself, when they expose such information.

MFA is counted based on authentication mechanisms and not based on credentials. Multiple passkeys do not count as multiple factors, multiple e-mail addresses not as well.