Make 2FA optional for non-staff

I'm worried that requiring 2FA for non-staff (less tech savvy users) would result in a increased support burden and bad user experience, as I expect that a non-significant chunk of the users won't backup their TOTP credentials.

AFAIK Keycloak does not support this out-of-the-box, so we would need to create our own authenticator.

Proposal:

Create a custom (conditional) authenticator SPI
- matchCondition() should evaluate to true, if:
  - Role is staff (inspiration ConditionalRoleAuthenticator.java)
  - OTP is configured (implemented here)
  - WebAuthn is configured (implemented here)

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information

Admin message

Make 2FA optional for non-staff