Ask for password before enable/disable 2FA

[zaherg]

Hey,

Since the user might login from multiple devices, it would be better to protect the ability to enable/disable (and for sure generating new recovery code) something like

1. Just the enable/disable https://d.pr/v/itaIyQ
2. All buttons require confirmation https://d.pr/v/hrQW5R

I can submit a Draft PR with the code I added/changed to be reviewed and edited as required.

Thanks

[taylorotwell]

Closing as this is a feature request.

[zaherg]

hey @taylorotwell can I have your thoughts about this #20