Better developer documentation on MFA

[brynwhyman]

There are a couple of nuances with using the MFA modules on a CWP site.

These should be captured as Developer documentation on the CWP.govt.nz website.

Points to touch on:

• Highlight that it will be part of the installer in version CWP 2.6
• The TOTP base secret is provided by default on standard CWP stacks, not for the CWP Cloud (AWS) stacks
• Docs to ensure that Developers get the TOTP encryption key .env variable for their local dev environment
• Point to docs on how to install the modules if not on CWP 2.6
• Summary of the feature set, what CMS users it applies to, how to customise the functionality, etc.
• Highlight the known limitations and edge cases. This is currently scattered in module documentation and internal support docs. This includes how MFA relates to working with snapshots between environments
• Direct readers to more information about the Security Key method, the known limitations, and in what situations it might be a suitable option for sites
• Note about WebAuthn in the CWP 2.6 changelog, see: Changelog for 2.6.0 #275 (review)

[michalkleiner]

One thing to add to the list would be how MFA relates to working with snapshots between environments, e.g. when PROD content is moved to UAT for testing or UAT to local DEV etc.

[brynwhyman]

Thanks @michalkleiner, added to the description. We'll be getting to this within the next fortnight.