In the past when authenticating a user with totp we used to include the username and
password in plain-text in hidden input fields on the login-totp form. This was not good in
case this html gets cached.
I've improved this by adding a password-token type credential. The flow now is:
1. User logs in with username and password
2. Password is verified, if valid a password-token is generated (realm name, user id and
timestamp encrypted with realm private key)
3. Redirect to login-totp, including password-token instead of password
4. User enters totp
5. Password token and totp is verified
Show replies by date