tfa: log all tfa verify errors and treat as failure, count

tfa: log all tfa verify errors and treat as failure, count

Use a custom result type to return success/failure and the
need to save the user data to the caller, while having
logged the error messages rather than returning them.

We count general TFA failures and also TOTP specifically,
and lock the user out of their 2nd factors on too many
failures.

To this end, all errors are now treated as failures.
While technically we can have crypto errors the user might
not be able to cause, we can't always know, and not all
errors are guaranteed to be a host side configuration issue,
so instead, all errors (since they are rare) now now counted
as a regular TFA error.

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>