Use google 2fa TOTP/HTOP
Allow user to set this up if they want, and regen secrete, disable it
on login if setup redirect to a new page to submit the OTP

so new col on user to store key

new flag col on Role
role requires user to have 2fa setup
dont allow user to be added to a role until they have 2fa working
dont allow user with role to disable 2fa

add a array to config/hms
with list of permission that requires roles to have 2fa
when role->addPermission() check the list and kick back if not allowed (might need to do this in the role manager?? or a custom validation?)