should consume_otp! raise an exception?

[krtschmr]

rather than false maybe raise OTPAlreadyConsumed would be better? In this case we could tell the user exactly why his login didn't worked.

example: user needs to whitelist his IP first via email confirmation link. it's all possible to do that within 30 seconds (login, otp, confirm link). now if the OTP would be the same he would just get a login that wasn't performable because we won't capture this event.

https://github.com/tinfoil/devise-two-factor/blob/5549aba9f73827c1b8e925f10f6a518e5b10aaf4/lib/devise_two_factor/models/two_factor_authenticatable.rb#L66