More granular control over disabling 2FA options

Allow disabling one U2F device but not others
Allow disabling one U2F device but not authenticator-based 2fa
Disabling authenticator-based 2fa should disable all U2F keys as well (debatable?)