Add 2FA for login via password.

[keyctl]

To improve security, e.g. agains bruteforce attacks, we could require 2FA when a user wants to login via password authentication.

The assignments provides us with email addresses, which we could use in our network to implement a scheme like the one used by GitHub.

One thing to consider is how to handle a case where a user lost their certificates. That way, the user is not able to read encrypted emails, but they cannot login to our service as they have neither password nor certificate.

[Liblor]

If we don't implement it, we should put it at least under "additional countermeasures"