Require 2FA via authenticator to be set up before enabling U2F

Parent issue: #15337 (moved)

• Don't allow setting up U2F before a user sets up an authenticator application
• A user shouldn't lose access to their account if they lose their U2F key
• https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/3905#note_11616033