On first login, validate the just-entered mobile number

[bickelj]

On the first login flow, the user has no mobile number with which to use as another factor of authentication, and the user enters that mobile number. On subsequent logins, 2FA is active, but that first login does not (yet) require validation of the mobile number.

The mobile number should be validated via OTP on first login somehow.

[reefdog]

Gonna add a framing requirement that will probably require onerous special-casing of auth logic, but:

Until the user provides and confirms their 2FA, they shouldn't actually be able to use their authentication to do anything. (I clarify that last point so we don't get in the weeds on what actually constitutes authentication.)

[kfogel]

This seems related to issue #5 though not exactly a dup of it.