Add a way for application to granularly decide which authentication mechanisms should be allowed

[jwag956]

With 2FA and unified sign in - there are now quite a few different ways users can authenticate. While these features are useful, they are 'global'. Applications might want to be able to provide finer granularity such as 'admins must use 2FA' or 'editors can use email callback to sign in'.

Ideally there would be some consistent callback or signal or ?? that gave detailed information about the identity and how they were authenticating and allow the app writer to 'allow' or 'disallow'. This would also help with basic auditing.

One simple idea is, as we have done for other things recently (e.g. verify_and_update_password) - simply add a login_user method to the UserMixin which by default would just call the current utils/login_user() method - but could be overridden...