Secret manager with out of band secret approval / denial

[brendanheywood]

This is an extension of https://github.com/catalyst/moodle-tool_mfa/issues/232 with some nicer UX / workflows

These are optional that a factor can opt into. An example workflow is this:

1. on desktop login and you are on an MFA step which prompts for a code, eg 123 456
2. you receive the code via a message, say Telegram or SMS, but you also receive two links in the message to approve or deny this code
3. On your mobile device, ie not in the same session and not even logged in, you can click either of those links to approve the code
4. When the approve link opens it says 'saving' which a spinner icon and in the background it sets the code as approved
5. In the main desktop window it polls and if the secret has been approved then it automatically goes to the next step
6. On your mobile device it also polls and can see that its moved to the next step and then changes to a say 'approved' with a big green tick
7. If the secret has been denied then it hard fails the login attempts, big red cross and maybe some help text for what to do next like reset passwords or whatever
8. If the 'out of band' page happens to actually be the same session as the main MFA, ie you are logging in on mobile and get the SMS on mobile, or logging in on desktop and get say a Telegram message in the desktop telegram app, there is potential for further streaming lining things but this is bonus points

• [ ] when creating a secret have another flag for whether they can be approved out of band
• [ ] have a set of endpoints for approving a secret out of band
• [ ] have helpers which create the urls for approving and denying a secret
• [ ] the custom secret mform input should manage the polling with very little special input
• [ ] ajax / WS endpoint for polling