Do bcrypt hash on invalid username

ERTwoFactorAuthenticationProcessor doesn't hash on invalid user name opening the possibility of enumeration attacks. Interesting article on the subject.

https://paragonie.com/blog/2016/01/on-design-and-implementation-stealth-backdoor-for-web-applications
