Upgrade devise-two-factor and devise-pbkdf2-encryptable

As part of the Ruby 3.1/3.2 audit, we are currently on 4.0.2 which is compatible with Ruby 3.0. CI support for 3.1 and 3.2 was added in devise-two-factor 5.0+. We should upgrade the gem to avoid manual testing against updated Ruby in future. Note this is a dependency for devise-pbkdf2-encryptable

References

Original vulnerability issue: https://gitlab.com/gitlab-org/gitlab/-/issues/510619#note_2269213209

Recent issue: https://gitlab.com/gitlab-org/gitlab/-/issues/537195 & !190571 (closed)

Context (Ruby 3.3/4) Audit

The following discussion from !190571 (closed) should be addressed:

• @dblessing started a discussion: (+1 comment)

  @habdul-razak Did you do lots of manual testing with this update? It makes me nervous because we override a lot of the 2FA behavior and we're also going through 2 major gem versions. I'll look through the changelog and see if there's anything to be concerned about. But lots of manual testing will be helpful, too.

What does this MR do and why?

• Address the breaking change
  • attr_encrypted has been deprecated in favor of native Rails attribute encryption

Security enhancements:

• Brute force attacks must be mitigated (account lockouts and rate limiters we already have)

• Insufficient Default OTP Shared Secret Length (32 -> 52 new)