TFA link has no access control and no expiry

Problem/Motivation

Originally in https://security.drupal.org/node/176947

This module has an access control vulnerability.

The 2FA link generated has no access control (anyone can access) and has no expiry. The 2FA link remains valid until either user logs in successfully (last login time changes), changes account name or changes password. A user can access the 2FA page if the URL is known or by guessing it. Thereafter, user can attempt to gain access to the application by guessing the 6-digit verification code.

It is recommended to expire the 2FA link within a set timeframe (e.g., to expire after 2 minutes).

Steps to reproduce

Here are the steps to reproduce the issue. Note: Any tfa setup should have the same issue. Here are the steps for an example.
Launching a test instance
- Navigate to https://simplytest.me/
- Under Evaluate Drupal Projects
- Enter ga_login
- Select “Google authenticator login \n ga_login”
- Select project version (latest 1.0-alpha6 (^8 || ^9))
- Click Advanced options
- Choose Drupal core version (9.4.0-alpha1)
- Click Add Additional project button
- Enter Real AES
- Select “Real AES \n real_aes”
- Select project version(latest 2.4 (^8 || ^9))
- Select Launch SandBox

Configuring instance

Login with username and password
- Username: admin
- Password: admin

Create an encryption key
- Navigate to configuration > system > key
- Fill in key name and description
- Key type = Encryption
- Key size = 256
- Key provider = configuration
- Key value = Generate your own encryption key

Create an encryption profile
- Navigate to configuration > system > encryption profile
- Fill in label
- Encryption Method = Authenticated AES
- Encryption key = your recently created key

Enable TFA
- Navigate to configuration > people > two-factor authentication
- Check Enable TFA
- Roles required = authenticated user
- Allowed Validation plugins
- TOTP
- TFA Recovery Code
- TOTP settings
- Number of Accepted Codes = 2
- Use site name as OTP QR code name prefix = unchecked
- OTP QR Code Prefix = TFA
- Issuer = Drupal
- Recovery Codes = 9
- Encryption Profile = recently created
- Skip validation = 2
- Login plugins = unchecked
- All other settings leave as default
- Save configuration

Set up TFA for admin user
- Navigate to People
- Select user
- Select security tab
- Register TFA device

Test Case
- Log out of site
- Sign in using user account with TFA set up already
- Once redirected to TFA page, Copy down TFA URL in browser
- Open up an incognito page in the browser and enter the URL into the browser. You will be redirected to the same tfa page.
- Wait for 10 mins (any duration will work as the link does not expire)
- Enter in TFA code from tfa device and will be logged in

Proposed resolution

Remaining tasks

User interface changes

API changes

Data model changes