Attempt to disable mfa when requesting an mfa token.
If we're to use the mfa api to pair a backup device we must not run mfa
verification while obtaining a token for mfa (because we couldn't if
we've lost the other device).
For the recovery case the two factors are:
- username + password
- mfa client secret encoded in qrcode
If we had multiple second factor devices we could arguably thighten that
up.
An alternative could be to allow a device to register itself without
oauth at all.