Add developer docs for step-up-auth

The following discussion from !207665 (merged) should be addressed:

• @mkaeppler started a discussion: (+3 comments)

  thought: Thanks for documenting this! I don't have a good suggestion, but I wonder how we can ensure that developers don't forget about this. If I were to add a new controller that should enforce step-up auth, but I've never heard about it, I will not look at this code module and read these docs 🤔

  Do we have a sense for what kinds of controllers would require this to be included? Is it all controllers, or is that a case by case decision to be made? If there was a pattern to detect this, we could create a Cop to enforce this module inclusion.