Added TwoFactor Authentication (RFC4226)

Tested against Google-Authenticator app on Android 4.4.4

Made `verify_hotp` more efficient.

Added autofocus on twofactor input

Added GUI Unlock and Remove for TwoFactor credentials in /edituser/

Allow additional tries after elapsed time from last try exceeds configured parameter `$config['twofactor_lock']`.
If `$config['twofactor_lock']` is not defined or is set to `0`, administrators have to unlock accounts that exceed 3 failures via GUI.

Added Documentation

Moved TwoFactor form to logon.inc.php
Disabled autocomplete on twofactor input field
Updated Docs to include link to Google-Authenticator's install-guides

Moved authentication logic from authenticate.inc.php to twofactor.lib.php

typo in docblock for `twofactor_auth()`

Fixed scrutinizer bugs

To please scrutinizer

html/includes/authenticate.inc.php

@@ -75,9 +75,15 @@ if ((isset($_SESSION['username'])) || (isset($_COOKIE['sess_id'],$_COOKIE['token
     $_SESSION['user_id'] = get_userid($_SESSION['username']);
     if (!$_SESSION['authenticated'])
     {
-      $_SESSION['authenticated'] = true;
-      dbInsert(array('user' => $_SESSION['username'], 'address' => $_SERVER["REMOTE_ADDR"], 'result' => 'Logged In'), 'authlog');
-      header("Location: ".$_SERVER['REQUEST_URI']);
+      if( $config['twofactor'] === true && !isset($_SESSION['twofactor']) ) {
+        require_once($config['install_dir'].'/html/includes/authentication/twofactor.lib.php');
+        twofactor_auth();
+      }
+      if( !$config['twofactor'] || $_SESSION['twofactor'] ) {
+        $_SESSION['authenticated'] = true;
+        dbInsert(array('user' => $_SESSION['username'], 'address' => $_SERVER["REMOTE_ADDR"], 'result' => 'Logged In'), 'authlog');
+        header("Location: ".$_SERVER['REQUEST_URI']);
+      }
     }
     if (isset($_POST['remember']))
     {